Purchase Cards: Control Weaknesses Leave DHS Highly Vulnerable to
Fraudulent, Improper, and Abusive Activity (19-JUL-06,		 
GAO-06-957T).							 
                                                                 
In the wake of the 2005 hurricanes in the Gulf Region, GAO and	 
the Department of Homeland Security Office of Inspector General  
(DHS OIG) initiated a number of audits and investigations	 
addressing the federal government's response to those events.	 
Department of Homeland Security (DHS) cardholders made thousands 
of transactions related to hurricane rescue and relief		 
operations. GAO, working with DHS OIG, interviewed DHS personnel 
and reviewed purchase card policies and procedures to assess the 
control environment. GAO and DHS OIG conducted statistical tests 
from a random sample of transactions and performed data mining on
all DHS purchase card transactions for a 5-month period beginning
in June 2005. GAO and DHS OIG looked at all transactions in this 
period because the database did not distinguish hurricane related
from routine purchases. GAO and DHS OIG used the testing results 
to determine the extent of control weaknesses and identify	 
instances of fraud, waste, and abuse. This testimony addresses	 
whether (1) DHS's control environment and management of purchase 
card usage were effective; (2) DHS's key internal control	 
activities operated effectively and provided reasonable assurance
that purchase cards were used appropriately; and (3) indications 
existed of potentially fraudulent, improper, and abusive or	 
questionable purchase card activity at DHS.			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-957T					        
    ACCNO:   A57125						        
  TITLE:     Purchase Cards: Control Weaknesses Leave DHS Highly      
Vulnerable to Fraudulent, Improper, and Abusive Activity	 
     DATE:   07/19/2006 
  SUBJECT:   Disaster relief aid				 
	     Federal procurement				 
	     Federal procurement policy 			 
	     Financial management				 
	     Fraud						 
	     Internal controls					 
	     Policy evaluation					 
	     Program abuses					 
	     Government agency oversight			 
	     Government purchase cards				 
	     Policies and procedures				 
	     Waste, fraud, and abuse				 
	     Government Purchase Card Program			 
	     GSA SmartPay Program				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-957T

     

     * GAOHQ-1647606-v3-DHS_PC_TESTIMONY_7-17.pdf
          * Summary
          * Weaknesses in DHS's Overall Control Environment Contributed
               * Unimplemented Agencywide Manual Contributes to Inconsistency
               * Insufficient Resources Committed to Purchase Card Program
               * Evidence Lacking that Most Cardholders Received Required Tra
               * Monitoring and Oversight Needs Improvement
          * Inconsistently Implemented Control Activities Leave DHS Vuln
               * Statistical Tests Indicated Weak Internal Controls
               * Online Reconciliation and Certification Processes Not Fully
               * DHS Used a Provision of the Federal Acquisitions Regulations
          * Potentially Fraudulent, Improper, Abusive, or Questionable T
               * Potentially Fraudulent and Improper Activity Related to Purc
               * Abusive and Questionable Transactions
          * Concluding Observations
          * Contacts and Acknowledgments
          * Appendix I: Prior GAO Purchase Card Audits
          * VHA Purchase Cards: Internal Controls Over the Purchase Card
          * Appendix II: Background
          * The Department of Homeland Security's (DHS) purchase card pr
          * Appendix III: Scope and Methodology
               * Statistical Sample of Internal Control Procedures
               * Data Mining
     * GAOHQ-1647606-v3-DHS_PC_TESTIMONY_7-17.pdf
          * Summary
          * Weaknesses in DHS's Overall Control Environment Contributed
               * Unimplemented Agencywide Manual Contributes to Inconsistency
               * Insufficient Resources Committed to Purchase Card Program
               * Evidence Lacking that Most Cardholders Received Required Tra
               * Monitoring and Oversight Needs Improvement
          * Inconsistently Implemented Control Activities Leave DHS Vuln
               * Statistical Tests Indicated Weak Internal Controls
               * Online Reconciliation and Certification Processes Not Fully
               * DHS Used a Provision of the Federal Acquisitions Regulations
          * Potentially Fraudulent, Improper, Abusive, or Questionable T
               * Potentially Fraudulent and Improper Activity Related to Purc
               * Abusive and Questionable Transactions
          * Concluding Observations
          * Contacts and Acknowledgments
          * Appendix I: Prior GAO Purchase Card Audits
          * VHA Purchase Cards: Internal Controls Over the Purchase Card
          * Appendix II: Background
          * The Department of Homeland Security's (DHS) purchase card pr
          * Appendix III: Scope and Methodology
               * Statistical Sample of Internal Control Procedures
               * Data Mining

United States Government Accountability Office

GAO

Testimony

Before the Senate Homeland Security and Governmental Affairs Committee

For Release on Delivery

Expected 10:00 a.m. EST Wednesday, July 19, 2006

PURCHASE CARDS

Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper,
and Abusive Activity

Statement of Gregory D. Kutz, Managing Director

Forensic Audits and Special Investigations

John J. Ryan, Assistant Director

Forensic Audits and Special Investigations

GAO-06-957T

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

www.gao.gov/cgi-bin/getrpt? GAO-06-957T .

To view the full product, click on the link above. For more information,
contact Gregory D. Kutz at (202) 512-7455 or [email protected] and Matthew A.
Jadacki at (202) 254-5477 or

[email protected].

Highlights of GAO-06-957T , a testimony before the Committee on Homeland
Security and Governmental Affairs, U.S. Senate,

July 19, 2006

PURCHASE CARDS

Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper and
Abusive Activity

In the wake of the 2005 hurricanes in the Gulf Region, GAO and the
Department of Homeland Security Office of Inspector General (DHS OIG)
initiated a number of audits and investigations addressing the federal
government's response to those events.

Department of Homeland Security (DHS) cardholders made thousands of
transactions related to hurricane rescue and relief operations. GAO,
working with DHS OIG, interviewed DHS personnel and reviewed purchase card
policies and procedures to assess the control environment. GAO and DHS OIG
conducted statistical tests from a random sample of transactions and
performed data mining on all DHS purchase card transactions for a 5-month
period beginning in June 2005. GAO and DHS OIG looked at all transactions
in this period because the database did not distinguish hurricane related
from routine purchases. GAO and DHS OIG used the testing results to
determine the extent of control weaknesses and identify instances of
fraud, waste, and abuse.

This testimony addresses whether (1) DHS's control environment and
management of purchase card usage were effective; (2) DHS's key internal
control activities operated effectively and provided reasonable assurance
that purchase cards were used appropriately; and (3) indications existed
of potentially fraudulent, improper, and abusive or questionable purchase
card activity at DHS.

A weak control environment and breakdowns in key controls exposed DHS to
fraud and abuse in its use of the purchase card. While DHS's draft
Purchase Card Manual generally contained effective control procedures, it
was not finalized due to a lack of leadership by the CFO in resolving
disagreements over its implementation. This led to DHS cardholders not
following the same procedures. Inadequate staffing, insufficient training,
and ineffective monitoring also contributed to the weak control
environment. The weak control environment and inconsistent purchase card
policies contributed to breakdowns in specific key controls. GAO and DHS
OIG found a lack of documentation that key purchase card internal controls
were performed. Based on a statistical sample, GAO and DHS OIG estimated
that 45 percent of DHS's purchase card transactions were not properly
authorized, 63 percent did not have evidence that the goods or services
were received, and 53 percent did not give priority to designated sources.
GAO and DHS OIG also found cardholders who failed to dispute improper
transactions, which resulted in losses to the federal government. Because
of the urgent needs caused by the hurricanes, DHS made a number of
noncompetitive purchase card acquisitions. GAO recognizes that DHS had the
authority to make noncompetitive purchases; however, GAO found
transactions where DHS cardholders could have exercised greater prudence
without jeopardizing relief efforts.

The weak control environment and ineffective internal control activities
allowed potentially fraudulent, improper, and abusive or questionable
transactions to occur. Although this work was not designed to identify,
and we cannot determine, the full extent of fraud, waste, and abuse, GAO
and DHS OIG identified numerous examples of potentially fraudulent,
improper, and abusive or questionable transactions. The table below lists
the potentially fraudulent activity related to items acquired with DHS
purchase cards. In addition, poor control over accountable property
acquired with purchase cards may have resulted in lost or misappropriated
assets.

Examples of Potential Fraud

Item Purchased         Description                   Amount of Transaction 
Lap Tops (FEMA)        Over 100 missing and presumed              $300,000 
                          stolen                        
Boats (FEMA)           Unauthorized use of card by a              $208,000 
                          vendor                        
Printers (FEMA)        Over 20 missing and presumed                $84,000 
                          stolen                        
Lap Tops (Coast Guard) 3 missing and reported stolen                $8,000 

Source: GAO and DHS OIG investigation.

GAO and DHS OIG also found examples of improper use of the purchase card
such as the use of convenience checks to pay $460,000 for pre-packaged
meals. Further, they found instances of abusive or questionable
transactions that included the purchase of a beer brewing kit, a 63"
plasma television costing $8,000 which was found unused in its original
box 6 months after being purchased, and tens of thousands of dollars for
training at golf and tennis resorts. GAO intends to refer the cardholders
responsible for many of these and other purchases to DHS management for
administrative action.

Madam Chairman and Members of the Committee:

Thank you for the opportunity to discuss the results of the forensic audit
and investigation of the Department of Homeland Security's (DHS) purchase
card program, a joint audit by GAO and DHS's Office of Inspector General
(DHS OIG). This joint audit is one among a number of audits and
investigations that GAO and DHS OIG initiated in the wake of Hurricanes
Katrina and Rita to review the effectiveness of the federal government's
disaster response. A crucial tool DHS used to expedite the government's
response to the two disasters was the SmartPay(R) purchase card program, a
program implemented to provide federal agencies and their employees a more
flexible and efficient way to purchase commercial goods and services. GAO
and DHS OIG support the use of a well-controlled purchase card program,
which our experience shows reduces transaction processing costs and
provides agencies with flexibility to achieve their mission objectives.
This testimony builds on GAO's substantial experience in identifying
fraud, waste, and abuse in government purchase card programs (see app. I
for previous audit reports) and DHS OIG's significant experience auditing
one of our nation's largest federal agencies.

With the creation of DHS in 2002,1 the management of thousands of purchase
cardholders from 22 separate federal agencies was combined under one
umbrella program, the DHS Purchase Card Program. The legacy agencies such
as the Federal Emergency Management Agency (FEMA), the U.S. Coast Guard
(Coast Guard), and the U.S. Customs and Border Protection (CBP) are now
referred to as DHS organizational elements. During fiscal year 2005, these
organizational elements accumulated more than $420 million in charges,
ranking DHS among the top purchase card users  in  the federal government.
In response to Hurricanes Katrina and Rita, DHS made thousands of purchase
card transactions to buy goods and services for hurricane rescue and
relief operations. For Katrina-related procurements, Congress authorized
an increase to the micropurchase threshold from $2,500 to $250,000. 2 When
making micropurchases, authorized cardholders are not required to solicit
competitive bids if they consider the price to be reasonable. For further
details on the DHS purchase card program, see appendix II.

1The Homeland Security Act of 2002, Pub. L. No. 107-296, led to the
creation in January 2003 of DHS-the most substantial reorganization of the
federal government since the 1940s. The creation of DHS, which began
operations in March 2003, represents the fusion of 22 federal agencies to
coordinate and centralize the leadership of many homeland security
activities under a single department.

Our testimony today addresses whether (1) DHS's control environment and
management of the purchase card program were effective; (2) DHS's key
control activities operated effectively and provided reasonable assurance
that purchase cards were used appropriately; and (3) indications existed
of potentially fraudulent, improper, and abusive or questionable activity
related to items acquired with DHS purchase cards.3  Following this
testimony, we plan to issue a joint report with recommendations to DHS for
improving internal controls over its purchase card activities.

The scope of our joint audit covered all DHS purchase card transactions
from June 13, 2005, through November 12, 2005. We selected all
transactions during this period because we could not distinguish between
routine and hurricane-related purchases in the database provided by U.S.
Bank (DHS's purchase card contractor). To assess the design and
implementation of controls over purchase card transactions, we conducted
interviews of purchase card administrators and compared DHS's purchase
card policies and procedures to the Office of Management and Budget's
(OMB) Circular No. A-123, GAO's Standards for Internal Controls in the
Federal Government (Standards for Internal Controls) and to the best
practices for purchase card programs outlined in GAO's Audit Guide:
Auditing and Investigating the Internal Control of Government Purchase
Card Programs (GAO's Audit Guide). Using purchase card data provided by
U.S. Bank, we conducted statistical tests from a random sample of
transactions and performed other audit work to evaluate the design and
implementation of key internal control activities.

2Second Emergency Supplemental Appropriations Act to Meet Immediate Needs
Arising from the Consequences of Hurricane Katrina, 2005, Pub. L. No.
109-62, Sec. 101 (Sept. 8, 2005).

3We considered potentially fraudulent purchases to be those which were
unauthorized and intended for personal use. The transactions we determined
to be improper are those purchases intended for government use, but are
not for a purpose that is permitted by law, regulation, or policy. We also
identified as improper a number of purchases made on the same day from the
same vendor, and which appeared to circumvent cardholder single
transaction limits or bidding requirements. We defined abusive
transactions as those that may be authorized, but the items purchased were
at an excessive cost or were not needed by the government, or both.
Questionable transactions could be improper or abusive but for which there
is insufficient documentation to conclude either.

We also performed data mining on the transactions to determine whether
there were potentially fraudulent, improper, abusive, or questionable
activities related to the purchase card program. Our data mining efforts
included reviewing and analyzing transactions to determine whether split
payments occurred,4 whether DHS maintained appropriate controls over
property accountability, and whether DHS was able to leverage the hundreds
of millions of dollars it spends with a purchase card to obtain favorable
pricing from frequently used vendors, among others. We used forensic audit
and investigative techniques to determine if the purchase card was used in
a potentially fraudulent manner. Although we did identify some potentially
fraudulent, improper, and abusive or questionable transactions, our work
was not designed to identify, and we cannot determine, the extent of
fraudulent, improper, and abusive or questionable transactions. See
appendix III for further details on our scope and methodology. We
conducted our audit work from November 2005 through June 2006 in
accordance with U.S. generally accepted government auditing standards. We
performed our investigative work in accordance with standards prescribed
by the President's Council on Integrity and Efficiency. We briefed DHS on
the details of our work, including our scope, and methodology and our
findings.

                                    Summary

A weak control environment and breakdowns in key internal controls 
exposed DHS to fraud, waste, and abuse in its purchase card program. Our
review of DHS's draft Purchase Card Manual (draft manual) found that the
draft manual generally incorporated well-designed internal controls for an
agencywide purchase card program that were consistent with OMB's Circular
No. A-123, GAO's Standards for Internal Controls, and the best practices
for purchase card programs outlined in GAO's Audit Guide.5 However,
according to representatives from the Office of the Chief Financial
Officer, the draft manual was not issued in its final format due to
ongoing disagreements with DHS organizational elements over its
implementation. Without a final policy, DHS organizational elements
adopted inconsistent purchase card practices. Some organizational elements
followed purchase card policies from their legacy agencies, others
observed requirements from the draft DHS policy, and yet others relied on
a combination. Overall, we found that a lack of leadership in finalizing
the draft manual, inadequate resources devoted to the purchase card
program, insufficient training, and ineffective monitoring and oversight
each contributed to a weak control environment.

4A split payment occurs when a cardholder splits a transaction into more
than one segment to circumvent the requirement to obtain competitive
prices for purchases over the $2,500 micropurchase threshold (in the case
of Hurricanes Katrina and Rita, a micropurchase threshold of up to
$250,000) or to avoid other established credit limits.

We also found weaknesses in specific key control activities over purchase
card transactions. Specifically, we found a lack of documentation that
required internal controls over purchase card transactions were performed.
Based on our sample of DHS purchase card transactions, we estimated that
45 percent did not have prior written authorization, 8 percent did not
provide required sales documentation, 63 percent did not have evidence
that the goods or services were actually received, and 53 percent did not
give priority to required or preferred vendors (designated sources). We
also found instances where DHS cardholders failed to dispute improper
transactions, resulting in losses to the federal government from improper
and potentially fraudulent purchases. Further, DHS did not invoke the
special authority provided to increase the threshold for micropurchases
from $2,500 to $250,000. Instead, DHS invoked other clauses in the Federal
Acquisition Regulations (FAR) to make noncompetitive purchases under
existing procurement authority. While we recognize that DHS has authority
to make such noncompetitive purchases under the FAR, we identified
transactions where DHS cardholders could have obtained better pricing
without jeopardizing relief efforts or where the purchase was unnecessary.
Later in our testimony, we identify examples of poor pricing and
unnecessary purchases, but also highlight instances where the cardholder
acted prudently to obtain the best pricing.

5Because we believe DHS's draft manual, Department of Homeland Security
Purchase Card Manual (Washington, D.C.: Mar. 8, 2004) is largely
consistent with GAO's Audit Guide: Auditing and Investigating the Internal
Control of Government Purchase Card Programs, GAO-04-87G (Washington,
D.C.: Nov. 1, 2003) and Standards for Internal Control in the Federal
Government,  GAO/AIMD-00- 21.3.1 (Washington, D.C. Nov. 1999),  we
generally used the draft manual as the criteria against which we tested
internal controls.

The weak control environment and weak implementation of specific internal
control activities allowed potentially fraudulent, improper, abusive, or
questionable transactions to go undetected. In one potential fraud case,
ineffective procurement practices resulted in DHS paying double the retail
price for 20 flat-bottom boats. The vendor in this case improperly used
the DHS purchase card number to purchase boats from retailers before
reselling them to DHS. In another potentially fraudulent case, breakdowns
in property accountability controls  allowed a DHS employee to submit
falsified records related to three stolen laptops. As an example of
improper use of a purchase card, we identified a cardholder who  used
convenience checks to pay a vendor who normally accepted credit cards but
who did not want to pay credit card transaction fees for a large
purchase-in which case the cardholder violated DHS policy. As a result of
this policy violation, the DHS incurred $8,000 in unnecessary processing
fees related to the use of convenience checks.

Other cardholders abused their purchase card privileges or made
questionable purchases. For example, one cardholder purchased a beer
brewing kit and ingredients to brew beer for official parties. Another
cardholder, based on questionable need, purchased a Samsung 63-inch plasma
screen television for about $8,000 at the end of the fiscal year. We
observed this large-screen television unused and in its original packaging
6 months after it was purchased. In cases where appropriate, we plan to
refer cardholders responsible for these and other purchases to DHS
management for possible administrative action. We also found instances
where items acquired with a DHS purchase card highlight weaknesses in
DHS's inventory control and procurement practices that led to potentially
fraudulent and abusive or questionable activity. For example, over 100
laptops were lost or misappropriated when shipped to New Orleans as part
of the relief efforts. The above examples of potential fraud, improper use
of the purchase card, and abusive or questionable activity relating to
items acquired with DHS purchases cards are further detailed below.

Weaknesses in DHS's Overall Control Environment Contributed to Ineffective
                         Purchase Card Program Controls

DHS has not established an effective internal control environment to
manage its government purchase card program. Specifically, for the last
two years, DHS did not finalize its departmentwide purchase card policy
that detailed the internal control policies and procedures that
organizational elements must follow. As a result, cardholders did not
consistently apply basic control procedures, which were necessary to
provide reasonable assurance that acquisitions made with purchase cards
adhered to governmentwide requirements. Inadequate staffing and training,
and a weak postpayment audit function  further contributed to a weak
overall internal control environment and left DHS vulnerable to fraud,
waste, and abuse.

Unimplemented Agencywide Manual Contributes to Inconsistency and Confusion

DHS's Chief Financial Officer (CFO) distributed the agency's most recent
draft of the departmentwide purchase card policies and procedures in March
2004. Since then the draft manual has been out for agencywide comment
twice. The internal control procedures described in that draft document
were largely consistent with OMB Circular No. A-123, GAO's Standards for
Internal Controls, and GAO's Audit Guide. According to the Office of the
Chief Financial Officer, the draft policies were not accepted and
implemented across DHS due to disputes with organizational elements over
implementation of the draft manual. Further, officials within the Office
of the Chief Financial Officer do not have a plan or timeline for
resolving these disputes in order to finalize DHS's draft manual. 
Consequently, some organizational elements are following internal control
policies that existed in their legacy environments prior to their
absorption into DHS, while others adopted DHS's draft policies. Others are
adhering to elements from both. We found that although some internal
control policies from legacy agencies were consistent with GAO's Standards
for Internal Controls and GAO's Audit Guide, others were not. For 
example, the Organizational Program Coordinator (OPC) for the Purchase
Card Program at the Coast Guard stated that written authorization prior to
purchase is generally required. In contrast, CBP indicated that written
authorization is not required prior to use by a CBP cardholder.

As a result of the unimplemented DHS draft manual, organizational elements
were confused about and did not consistently apply purchase card policies
and procedures, which negatively affected the control environment. As an
example, the OPC at the Coast Guard, in charge of the largest purchase
card program within DHS, informed us that some cardholders within Coast
Guard followed the draft DHS manual, while others did not consider the
manual applicable.

Insufficient Resources Committed to Purchase Card Program

DHS failed to assign sufficient resources to manage its purchase card
program. As a result, we found many instances where approving officials
had oversight responsibilities for an excessive number of cardholders.
Additionally, we found that DHS lacked sufficient staffing to effectively
manage and oversee the purchase card program.

GAO's Audit Guide and OMB Circular No. A-123 emphasize the importance of
establishing reasonable levels of responsibility for approving officials
who are responsible for reviewing and certifying purchase card
transactions. Assigning approving officials more cardholders than they can
effectively supervise is a symptom of a weak control environment, as it is
unreasonable to expect approving officials who have too many transactions
to conduct a thorough and proper review of supporting documentation for
each transaction. Basic fraud prevention concepts and our previous audits
of purchase card programs have shown that opportunities for fraud and
abuse arise if cardholders know that their purchases are not being
properly reviewed.

We found that DHS's draft manual contained requirements for approving
officials that are consistent with OMB Circular A-123 and GAO's Audit
Guide. Specifically, the proposed DHS policy stipulates that a single
approving official may not oversee more than 7 cardholders.  However, our
work showed that DHS organizational elements did not adhere to this
guidance. As shown in table 1, as of the end of fiscal year 2005, we found
that 176 DHS approving officials, out of approximately 3,300 approving
officials departmentwide, had oversight responsibilities for more than 7
cardholders.6 At the Coast Guard alone, 147 approving officials supervised
more than 7 cardholders, with 3 individuals managing more than 30
cardholders. According to the OPC at the Coast Guard, insufficient staff
to monitor and oversee the purchase card program is a primary cause for
the large number of approving officials with excessive span of control.
Having approving officials responsible for more than 7 cardholders is
inconsistent with the DHS draft manual and is contrary to GAO's best
practices guidance.

Table 1: Number of Approving Officials at DHS Organizational Elements with
Excessive Span of Control

                                Number of approving officials with excessive 
                                  span of control, stratified by number of   
                                            cardholders managed              
Organizational element          8-10    11-20    21-30    > 30       Total
U.S. Coast Guard                           84       53       7    3   147 
U.S. Customs and Border                                                   
Protection                                  7        3       0    0    10 
Federal Emergency                                                         
Management Agency                           5        3       0    0     8 
U.S. Secret Service                         3        2       0    2     7 
DHS Science and Technology                  1        0       0    0     1 
Transportation Security                                                   
Administration                              0        1       0    0     1 
U.S. Citizenship and                                                      
Immigration Service                         1        0       0    0     1 
Federal Air Marshal Service                 1        0       0    0     1 
Total                                     102       62       7    5   176 

Source: GAO analysis of U.S. Bank data.

Our analysis of purchase card data uncovered other fundamental breakdowns
in controls. For example, we identified 6 cardholder accounts where the
approving official and the cardholder were the same individual-a major
conflict of interest. We also identified 2,468 open accounts-19 percent of
DHS's purchase cards-that as of December 13, 2005, had not been used since
before January 2005. According to OMB and the U.S. General Services
Administration (GSA),7 purchase cards should only be issued to individuals
who have a documented need to acquire items for the government with the
purchase card. It is difficult to argue that the 2,468 individuals who
have not made a single purchase in an entire year have such a need.
Consequently, those accounts should have been closed to minimize the risk
of fraud, waste, and abuse.

6On an agencywide basis, 2,150 cardholders, or over 20 percent of DHS's
over 9,000 cardholders, were managed by approving officials whose span of
control exceeded the 7:1 cardholder to approving official internal control
as contained in the DHS draft manual.

7Federal agency purchase card programs operate under a government wide GSA
SmartPay(R) master contract. Agency purchase card programs must comply
with the terms of the contract and task orders under which the agency
placed its order for purchase card services.

Furthermore, we found that at both the DHS level and organizational
element level, there were inadequate resources to effectively manage the
program. As stated in GAO's Audit Guide, it is vital for purchase card
programs to be sufficiently staffed to manage the program. At the DHS
agencywide level, the DHS Agency Program Coordinator (APC) is the sole
person responsible for overseeing not only DHS's Purchase Card Program,
one of the government's largest purchase card programs, but also DHS's
Travel Charge Card Program and Fleet Charge Card Program.8 In total, DHS
spent nearly $1 billion on these three charge card programs during fiscal
year 2005. Based on our assessment of the control environment and
discussions with the APC, a lack of adequate resources caused insufficient
management and oversight of the purchase card program at the DHS
agencywide level.

At the organizational element level, we found a similar lack of staffing
resources devoted to the management of the purchase card program. For
example, as shown in table 2, the number of personnel assisting the OPC at
the organizational element level is not consistent with the risk of
exposure, as measured by expenditures. In fact, the largest organizational
element, the Coast Guard, provides no additional staff to the OPC to
assist in managing and overseeing the purchase card program. Based on our
assessment of the control environment and discussions with the OPC at the
Coast Guard, the Coast Guard did not have adequate resources to both
administer the purchase card program and provide adequate compliance
control.

8The GSA offers SmartPay(R), a federal government charge card program that
improves travel, purchase, and fleet payment services for federal
employees by simplifying payments and cutting administrative costs.

Table 2: Employees Responsible for Management of the Purchase Card Program
at Four of the Largest Organizational Elements within DHS

                           Staff devoted to  Fiscal year 2005 total purchase  
Organizational element    purchase card       card dollars (millions)      
U.S. Coast Guard        1 (OPC)                                      $ 227 
Federal Emergency       2 (1 OPC and 1                                  32 
Management Agency       additional staff) 
U.S. Immigration and    4 (1 OPC and 3                                  21 
Customs Enforcement     additional staff) 
U.S. Customs and Border 6 (1 OPC and 5                                  66 
Protection              additional staff) 

Source: DHS data.

Evidence Lacking that Most Cardholders Received Required Training

Evidence was not provided to show that DHS is providing the training
necessary to obtain reasonable assurance that its cardholders understand
the purchase card program's key controls. Adequate training is essential
to ensuring that the cardholders and approving officials have the skills
necessary to achieve organizational goals in an effective and efficient
manner. OMB Circular A-123 and DHS's draft manual require that all
cardholders be trained prior to receiving a purchase card and receive
annual refresher training. We found that for 60 of the 96 transactions in
our statistical sample, the cardholder lacked documentation showing that
they received either the required initial training or the refresher
training.

Monitoring and Oversight Needs Improvement

Our review of the  DHS purchase card program found that DHS had
ineffective procedures to monitor and oversee cardholder's compliance with
agencywide and governmentwide purchase card policies through postpayment
audits. The purpose of the postpayment audit is to provide reasonable
assurance that the purchases made by cardholders, and payments made to the
bank, were valid and appropriate. However, our audit found that DHS did
not conduct postpayment audits effectively. Specifically, we found that
the organizational elements did not follow up with cardholders who failed
to provide the required supporting documentation. We identified 10,339
transactions between December 2003 and February 2006 that were selected
for audit, but which were not audited because cardholders did not submit
the required supporting documentation. Many of the cardholders who failed
to submit the required supporting documentation were nevertheless allowed
to continue using their purchase cards. Failure to suspend those cards and
discipline users exposed DHS to fraud, waste, and abuse in its purchase
card program.

  Inconsistently Implemented Control Activities Leave DHS Vulnerable to Fraud,
                                Waste, and Abuse

The results of our testing of key controls at DHS revealed significant
failure rates that bring into question the efficacy of DHS's
implementation of internal controls.  Internal control activities
associated with purchase card transactions occur at various levels within
an agency. Activities include a wide range of diverse actions such as
authorizations, verifications, reconciliations, certifications, and the
production of records and documentation. However, our statistical tests of
DHS purchase card transactions from June 13, 2005, through November 12,
2005, found that several  key transaction-level controls were 
ineffective, with failure rates ranging from 8 percent to 63 percent. In
addition, the high rates of failure associated with authorization and
independent receipt and acceptance also led us to question the
effectiveness of the DHS reconciliation and certification process.
Specifically, DHS's automated systems and practices associated with
reconciling and certifying purchase card transactions for payment were not
effective to provide reasonable assurance that charges appearing on the
cardholder's bank statements were valid. We also found instances where DHS
lacked effective controls to ensure proper follow-through of disputed
transactions, leaving DHS at an increased risk of fraud, waste, and abuse
associated with the payment of purchase card transactions.

Finally, while DHS did not rely on its increased micropurchase threshold
authority, DHS did activate certain FAR provisions to streamline the
acquisition process for transactions made in response to the hurricane
disaster in the Gulf Region. We are not questioning the authority on which
DHS relied. However, we have identified examples where DHS did not
exercise prudent pricing practices.

Statistical Tests Indicated Weak Internal Controls

Control activities we tested included whether (1) cardholders obtained
written authorization prior to purchases, (2) invoices supporting the
transactions existed, (3) independent receipt and acceptance of goods and
services occurred, and (4) cardholders screened for required or preferred
vendors (designated sources). As shown in table 3, the failure rates for
the four attributes that we tested ranged from 8 percent to 63 percent. We
looked for documented evidence that these control activities were
followed; therefore, these rates may be higher than actual failures rates
if control activities were followed but not documented.

Table 3: Results of Statistical Testing for Four Key Internal Controls
(percent)

Internal control                Point estimatea      95-percent confidence 
                                                                    intervalb 
Authorization                                45                      35-55 
Sales documentation                           8                     4 - 16 
Independent receipt and                                                    
acceptance                                   63                    53 - 73
Priority for designated sources              53                      43-63 

Source: GAO and DHS OIG  testing and statistical analysis of DHS purchase
card transactions provided by U.S. Bank.

aThe numbers represent point estimates for the population based on our
random sample rounded to the nearest percentage point.

bThe numbers represent a 2-sided confidence interval assuming a 95 percent
confidence level.

Lack of Written Authorization-In 45 percent of the sample transactions,
the cardholders did not obtain written authorization prior to obtaining
the items in question. Requiring the cardholder to obtain written
authorization prior to using the purchase card is key to providing
reasonable assurance  that the purchase represents a legitimate government
need. The draft manual addresses this fundamental internal control element
by proposing to require written authorization prior to purchases. However,
as indicated by the high rate of failure, cardholders did not consistently
adhere to this internal control standard, thereby exposing DHS to misuse
of the purchase card. For example, a cardholder from CBP acquired nearly
$2,500 in rain jackets without written preauthorization. Had the
cardholder been subject to DHS's requirement for written authorization
prior to purchase, as outlined in the draft manual, this improper purchase
may have been prevented.

Lack of Sales Documentation Supporting Purchases-We estimate that 8
percent of DHS cardholders failed to provide sales documentation, such as
a receipt, for the items obtained with a purchase card. This is
inconsistent with the draft manual, which would require cardholders to
obtain and retain all sales documentation relevant to their transaction.
Requiring cardholders to obtain and retain sales related documentation
from the vendor is a basic internal control to reduce the risk of fraud,
waste, and abuse. Without sales documentation, an approving official has
no means of reasonably determining whether the item purchased represents a
legitimate government need or is fraudulent, improper, or abusive.

Lack of Independent Receipt and Acceptance-We estimate that 63 percent of
DHS transactions did not have independent receipt and acceptance. Receipt
and acceptance of goods and services by someone other than the cardholder
provides reasonable assurance that the organization actually received what
it purchased. This internal control procedure segregates the duties
involved in the acquisition of goods and services and thereby reduces the
risk of fraud, waste, and abuse. According to GAO's  Audit Guide, a
properly documented independent receipt and acceptance must contain the
signature of the independent individual, who should also document the date
of receipt. Failure to adhere to proper receipt and acceptance procedures
exposes agencies to increased risk of fraud, waste, and abuse. For
example, a transaction we sampled involved the purchase of three laptop
computers by a Coast Guard cardholder. However, independent receipt and
acceptance was not performed, and the laptops were not recorded in the
property records. Subsequently, the laptops could not be located and were
later reported as stolen. If proper receipt and acceptance had been
performed, theft of the laptops may have been prevented.

Failure to Give Priority to Designated Sources-We estimate that in 53
percent of the sampled transactions, the cardholder failed to document
whether they gave priority to designated sources. In one example, a
cardholder purchased 25 portable  global positioning system (GPS) units at
full retail price from Best Buy when the same units could have been
obtained through a GSA Advantage9 vendor for 15 percent less. The DHS
draft manual  would  require that cardholders use designated sources if
the source is capable of providing the goods or services as needed. GSA
Advantage is identified as a designated source in the draft manual.
Generally, the goods and services provided by designated sources will be
offered at reasonable prices.10 In this case, the failure to consider
designated source resulted in the cardholder paying Best Buy about $2,700
more than if the units were acquired through GSA Advantage. Although the
cardholder was acquiring the GPS units for an emergency situation, we
found that GSA Advantage can often deliver goods on an expedited basis.
Alternatively, the cardholder could have obtained a special discount from
Best Buy if he had opened a government account.

Online Reconciliation and Certification Processes Not Fully Effective

Effective reconciliation and certification are crucial in helping to
provide reasonable assurance that all charges appearing on the
cardholder's bank statement are valid. However, our review of the DHS
purchase card systems found that the practices used by the Coast Guard,
FEMA, CBP, and U.S. Immigration and Customs Enforcement (ICE) were not
fully effective. Each of these organizational elements primarily relied
upon online reconciliation and certification capabilities inherent in
their respective purchase card systems, but none of these systems provided
sufficient evidence to determine if a comprehensive reconciliation and
certification was actually performed. While online processes can provide
an efficient and effective means for accomplishing such tasks without the
burden of a paper-laden environment, reliance upon online processes
requires effective internal controls (e.g., sufficient audit trails,
implementation of sound business practices) to gain reasonable assurance
that the processes were properly performed. However, none of these DHS
components had fully effective systems or practices to provide reasonable
assurance that cardholders exercised due diligence in reconciling their
statements. One attribute lacking was notations, such as the ability to
enter check marks indicating that transactions on the cardholder's monthly
statements were individually reviewed and reconciled. In addition, these
components did not demonstrate that they had fully effective systems or
practices that would allow them to track the length of time a cardholder
spent performing their reconciliation and an approving official spent
certifying statements to rule out the possibility of merely "rubber
stamping" monthly statements. Further, we found many instances where
approving officials did not certify their respective cardholders'
statements. DHS's draft manual requires approving officials to certify a
cardholder's bill within 14 days of the close of billing cycle. Based on
the results of our analysis, we identified 8,630 uncertified statements
that were pending approving official certification as of February 12,
2006.

9GSA Advantage, a program offered by the GSA, is a convenient one-stop
shopping source to meet federal agencies' procurement needs by selecting
and listing vendors who may offer the best value.

10Using designated sources results in the agency obtaining reasonable
prices or purchasing goods and services that meet other policy objectives,
such as creating jobs and training opportunities for people who are blind
or have other severe disabilities.

As previously discussed, given the insufficient resources committed to the
purchase card program and the high rates of failure associated with the
authorization and independent receipt and acceptance, comprehensive
reconciliations and certifications are crucial in helping to provide
reasonable assurance that all charges are valid. As a result of these
internal control weaknesses, DHS's compliance with controls to prevent or
detect fraudulent, improper, or abusive purchases is in question.

Pay and Confirm Environment Increased Risk of Fraud, Waste, and Abuse

We found instances where DHS cardholders failed to dispute unauthorized
transactions. The dispute process is especially critical in DHS's pay and
confirm environment, called SmartPay(R). One feature of GSA's SmartPay(R)
program is that, unlike a normal credit card monthly billing process, the 
agency pays charges daily. By agreeing to pay first and confirm later,
agencies can reduce costs since the bank provides rebates11  based on how
quickly the charges are paid. However, the pay and confirm environment
requires diligence on the part of cardholders to perform thorough and
comprehensive reconciliations of their charges and to submit timely
disputes  of improper charges to the bank for credit. Because agencies
have already paid the bank for the potential unauthorized charges prior to
receiving the monthly billing statement, the payment will not be reversed
unless a dispute is submitted.

11As part of GSA's SmartPay(R) program, contracting banks provide rebates
(refunds) to agencies based on sales volume (payments) and payment
timeliness.

Because of weaknesses in the implementation of the dispute process in some
instances, DHS did not identify and obtain credits for unauthorized
transactions. In one instance, a cardholder appropriately initiated the
dispute process when a vendor improperly charged the government $153,000
prior to completion of contracted services. However, the cardholder failed
to perform appropriate follow-through and submit the required dispute
documentation. Consequently, DHS made a second payment to the vendor when
services were complete, resulting in a double payment of $153,000. FEMA
was unaware of the double payment until we questioned the payments in May
2006. At that time, FEMA contacted the vendor and recovered the
overpayment. In another example, discussed later in this testimony, a
cardholder's failure to dispute $30,000 in unauthorized charges resulted
in FEMA making payments for potentially fraudulent and improper charges
for flat-bottom boats. In this case, the cardholder and the approving
official failed to dispute the unauthorized charges.

Although the pay and confirm environment can bring economic benefits
(i.e., rebates) to federal agencies, it requires the implementation of
effective controls to detect and correct charges that should be disputed
and reversed. The high rates of failure in our tests of key internal
controls and the examples highlighted above bring into question whether
DHS's pay and confirm process exposes DHS to unacceptable levels of risk
for  fraud, waste, and abuse.

DHS Used a Provision of the Federal Acquisitions Regulations to Avoid Obtaining
Competitive Bids

To facilitate the government's response to hurricanes Katrina and Rita,
Congress authorized an increase to the micropurchase threshold from $2,500
to $250,000. When making micropurchases, authorized cardholders need not
solicit for competitive bids if they consider the price reasonable.
Executive agencies such as DHS could have extended this authority to
certain cardholders directly supporting hurricane-related rescue and
relief operations. However DHS told us that they did not implement the
increased threshold because they had the flexibility they needed to make
noncompetitive purchases under existing procurement authority. DHS cited
their justification for other than full and open competition under the
Unusual and Compelling Urgency provisions of the Federal Acquisition
Regulations.12 Under these provisions, cardholders had discretion to
select contractors noncompetitively as long as the purchase was directly
related to Hurricane Katrina response efforts.

Although DHS has authority to make purchases without competition, we
highlight transactions where DHS cardholders failed to adopt prudent
pricing practices and subsequently wasted government funds. Part of DHS's
mission is to respond to emergency situations like Katrina and Rita and a
reasonable person would expect DHS to be more prepared for relief and
rescue operations than other agencies with routine functions. In this
light, we question the propriety of several of the noncompetitive
transactions that we investigated for potential fraud. In the next section
we identify many examples of potential fraud, improper purchases, and
abusive or questionable transactions. Some of the examples are
multifaceted and touch on several issues including the pricing and
requirements management issues discussed previously.

    Potentially Fraudulent, Improper, Abusive, or Questionable Transactions

Our forensic audit and investigative work identified numerous transactions
where DHS failed to prevent or detect potential fraudulent, improper,
abusive, or questionable purchases. Many of these examples also show that
the government could have obtained better pricing. However, our work was
not designed to identify all instances of, or estimate the full extent of
fraud, waste, and abuse. Therefore we did not determine, and make no
representations regarding, the overall extent of fraudulent, improper, and
abusive or questionable transactions.

126.302-2 and 41 U.S.C. S: 253(c)(2), state that "[a]n executive agency
may use procedures other than competitive procedures only when . . . the
executive agency's need for the property or services is of such an unusual
and compelling urgency that the Government would be seriously injured
unless the executive agency is permitted to limit the number of sources
from which it solicits bids or proposals." See also 48 C.F.R. S: 6.302-2,
Unusual and compelling urgency.

Potentially Fraudulent and Improper Activity Related to Purchase Card
Acquisitions

Our data mining work identified many instances of both potentially
fraudulent and improper use of the purchase cards, and potentially
fraudulent and improper activity related to items acquired with the
purchase card. We considered potentially fraudulent purchases to be those
which were unauthorized and intended for personal use. The transactions we
determined to be improper are those intended for government use, but which
are not for a purpose that is permitted by law, regulation, or policy.

Potentially Fraudulent Activity-Table 4 shows five cases of potential
fraud involving both use of a DHS  purchase card and weaknesses with DHS's
accountable property13 controls that led to potentially fraudulent
misappropriation of government assets. Property that is unaccounted for
may simply be misplaced; or it may be that the assets were misappropriated
for a use other than that of the government. The misappropriation of
government assets (theft) represents fraudulent activity. These five
potentially fraudulent cases involve 154 missing items out of the 433
accountable property items that we tested. Because only a limited number
of transactions in our statistical sample contained accountable or
pilferable property, we did not attempt to estimate the extent to which
DHS could not account for pilferable property.

13DHS's Personal Property Management Directive 565 defines accountable
property as personal property with an initial acquisition cost at or above
a specific threshold, and items designated as sensitive. These items are
to be recorded in the organization's automated control system. DHS's
Capitalization and Inventory of Personal Property Management Directive
1120 establishes differing thresholds for tracking accountable property.
Generally, DHS requires its organizational elements to track electronic
communications equipment with a cost greater than or equal to $1,000,
information technology equipment with memory at any cost, and other
personal property with a cost greater than or equal to $5,000.

Table 4: Potentially Fraudulent Activity

        Items       Organizational                                  Amount of 
Case purchased   element        Vendor   Additional facts      transaction 
      1 Laptop      FEMA           CDW      107 of 200 not           $300,000 
        computers                           located               
      2 Flat-bottom FEMA           Banita   Unauthorized use of       177,000 
        boats                      Creek    purchase card by a    
                                   Hall     vendor, 12 of 20      
                                            boats not in property 
                                            system                
      3 Printers    FEMA           CDW      22 of 100 not located      84,000 
      4 GPS units   FEMA           Best Buy 2 of 25 not located        18,000 
      5 Laptop      Coast Guard    Best Buy 3 of 3 reported as         13,000 
        computers                           stolen                

Source: GAO and DHS OIG investigation.

Our testing work for the above transactions included traveling to the
location of the accountable property to observe the item and determine if
the asset existed  or was in possession of the government. More detailed
information is as follows:

           o  In cases 1, 3, and 4, FEMA purchased 200 laptops, 100 printers,
           and 25 GPS units in five separate transactions totaling about 
           $400,000. While FEMA documented independent receipt and acceptance
           for the laptops and the GPS units, it did not do so for the
           printers. Further, FEMA did not properly record and track some of
           the assets in its property records. As a result, FEMA could not
           locate the accountable property items when asked, and consequently
           was not able to account for 107 laptops, 22 printers, and 2 GPS
           units that cost  about $170,000.

           Based on the information FEMA provided for the location of the
           assets in question, in March 2006 we traveled to the FEMA field
           offices in New Orleans and Baton Rouge to observe assets acquired
           using a purchase card. After arriving at these locations, however,
           FEMA gave us different location information. We were instead
           informed that the laptops were shipped directly to and currently
           located in a conference room at the Royal Sonesta Hotel in the
           French Quarter, which was serving as the Joint Command Post for
           the various federal, state, and local authorities. We were told
           that many of the laptops and printers were being used by the New
           Orleans Police Department (NOPD) at the Joint Command Post.
           However, as shown in figure 1, when FEMA's accountable property
           officer took us to the conference room, it was vacant and the
           laptops and printers were missing.

           Figure 1. Hotel Conference Room Where FEMA Laptops and Printers
           Were Supposed to Be

           We questioned NOPD to find the location of the laptops and
           printers and we were able to account for 28 laptops and 16
           printers in the possession of NOPD personnel and 4 laptops in
           possession of the Louisiana District Attorneys Office (LADA).
           These assets were on loan to NOPD and LADA to assist them in their
           hurricane response efforts. We subsequently accounted for 61
           laptops, 72 printers, and 23 GPS units at FEMA field offices in
           Baton Rouge and New Orleans.  Despite substantial efforts to
           locate the property, neither FEMA, GAO, or DHS OIG  was able to
           find all the accountable property at the time of our field
           testing. Ultimately, FEMA could not account for 107 laptops, 22
           printers, and 2 GPS units with a total value of about $170,000.

           Significantly, we found that FEMA failed to enter the laptops into
           their accountable property system until two months after delivery.
           In addition, when FEMA did add the laptops to the property system,
           they failed to accurately record who was in possession of the
           laptops. In February 2006, after we made inquiries regarding the
           laptops, FEMA made an effort to track down the laptops and
           properly record who was in possession of and accountable for the
           laptops. However, they were unable to do so for most of the
           laptops. The process for using a purchase card to obtain highly
           pilferable and expensive equipment such as laptops should include
           controls that ensure such property is accurately recorded and
           tracked in a property system. In this case, the absence of
           effective controls led to potential fraud and a substantial cost
           to the taxpayer.

           o  For case 2, FEMA paid a vendor $208,000, or twice the retail
           price, to deliver 20 flat-bottom boats (with motors and trailers)
           needed for relief operations in New Orleans. This vendor, a broker
           who did not possess any boats himself, used the FEMA purchase card
           account number to pay for the boats prior to delivery to FEMA. He
           also used the card number to make two unauthorized payments for 6
           of the 20 boats totaling about $30,000. Although the vendor billed
           FEMA for all 20 of the boats, the vendor failed to pay one
           retailer who provided 11 of the 20 boats. This retailer provided
           the boats to the broker believing he was dealing with a FEMA
           representative, and therefore the retailer did not require payment
           up-front. The retailer has since reported the 11 boats as stolen
           and not provided title to the vendor. Further, FEMA only has 8 of
           the 20 boats in its property records and could not provide the
           location for the other 12 boats.

           Many issues surround the purchase of the 20 boats, but the most
           significant involve the vendor. We estimate that the vendor walked
           away with over $150,000, including the profit he made on the 11
           boats that the vendor obtained without payment. We are
           coordinating our investigation with both local law enforcement and
           the Federal Bureau of Investigation. Key control breakdowns
           relating to this transaction include the cardholder not obtaining
           adequate receipt and acceptance as evidenced by the fact that FEMA
           did not receive title to at least 11 boats, and the fact that
           neither the cardholder or the approving official flagged two
           unauthorized charges on the monthly purchase card statement.

           o  Case 3 involved one or more Coast Guard employees who submitted
           falsified records and provided false information pertaining to the
           theft of three laptop computers. Our investigative work found that
           a Coast Guard cardholder, accompanied by an Information Technology
           (IT) specialist, purchased 13 laptops from Best Buy using his
           government purchase card. The cardholder placed the laptops in an
           unsecured trailer, but did not immediately record the serial
           numbers so they could be entered into an accountable property
           system. According to the cardholder, 3 laptops went missing the
           next day. In an interview with our investigator and the Coast
           Guard Investigative Service, the cardholder admitted that he did
           not record the serial numbers immediately as instructed by his
           superior, and the property log was subsequently falsified to
           include fictitious serial numbers for the missing laptops. During
           separate interviews with the cardholder and the IT specialist, we
           noted inconsistencies in their explanations. We attempted to
           conduct a follow-up interview with the IT specialist, but after
           being notified to report for the scheduled interview, the IT
           specialist took actions that made himself unavailable. The Coast
           Guard Investigative Service is continuing to investigate the
           stolen laptops.

Improper Transactions-We identified numerous instances where cardholders
used their purchase cards to make improper purchases.  According to the
FAR, purchase cards may be used only for purchases that are otherwise
authorized by law, regulation, or organizational policy. Table 5 contains
some examples of improper transactions.

Table 5. Examples of Improper Purchase Card Transactions

                         Organizational                             Amount of 
Case Items purchased  element              Vendor              transaction 
      1 Meals ready to   CBP                  MRE Foods.com          $465,000 
        eat (MRE's)                                          
      2 Waste removal    FEMA                 EMO Energy              153,000 
                                              Solutions      
      3 Rain jackets     CBP                  Helly Hansen              2,500 
      4 Men's clothing   ICE                  Hecht's                     430 

Source: DHS data.

The following contains detailed information on some improper transactions
shown in table 5:

           o  Case 1 related to the improper use of convenience checks, where
           a CBP cardholder improperly issued five convenience checks
           totaling about $465,000 to prepay for a 2 months' supply of
           meals-ready-to-eat (MRE), about $30,000 of which was for shipping.
           The MREs were sent to the Gulf Region for consumption by CBP
           employees who were deployed to assist in the response to the
           hurricanes. In general, DHS policies consider the use of
           convenience checks a tool of last resort, that is, to be used only
           after "maximum efforts" have been made to find alternate vendors
           who accept the government purchase card. However, we found that
           the CBP cardholder violated DHS policies related to use of
           convenience checks.

           In addition, the CBP employees who were sent to the Gulf Region
           were pulled out earlier than anticipated and almost half of the
           MREs purchased were delivered to a CBP training facility in El
           Paso, Texas. Because the cardholder prepaid for the MREs, the
           cardholder precluded the option of buying in increments as the
           fluid circumstances might have dictated. Because the demand did
           not materialize, thousands of MREs are sitting in a warehouse in
           El Paso, Texas.

           The cardholder in this instance relied on the Unusual and
           Compelling Urgency provisions of the Federal Acquisition
           Regulations to expedite the purchase and meet an apparent need.
           While we are not questioning the cardholder's reliance on these
           provisions, we identified actions taken by the cardholder that
           unnecessarily increased the cost to the taxpayer:

                        o Instead of contracting with the Defense Logistics
                        Agency14 (DLA) to deliver MREs on an as-needed basis,
                        the cardholder acquired about 62,000 MREs from a
                        vendor on the internet. However, DLA informed us that
                        it had a large supply of MREs when Hurricane Katrina
                        hit the Gulf Region and would have been able to meet
                        CBP's demand for MREs and provide free shipping.
                        Further, we found that a GSA Advantage vendor was
                        selling similar MRE's at a substantially lower price
                        than what the cardholder paid. The vendor selected by
                        the cardholder was not a GSA Advantage vendor and the
                        cardholder acknowledged that she did not contact this
                        GSA Advantage vendor. Had the cardholder contacted
                        the GSA Advantage vendor, she may have saved
                        taxpayers over $100,000.

                        o The website of the vendor selected by the
                        cardholder clearly shows that it accepts credit
                        cards. However, according to the cardholder, the
                        vendor did not want to incur a credit card processing
                        fee on the large order. The cardholder therefore paid
                        the vendor using convenience checks, which cost the
                        government a 1.75 percent processing fee. Therefore,
                        due to the cardholder's improper use of convenience
                        checks, DHS paid $8,000 in processing fees
                        unnecessarily.

                        o  In case 3, a CBP cardholder improperly used his
                        purchase card to acquire 37 black rain jackets from
                        Helly Hansen for nearly $2,500 and obtained a
                        government discount to the personal benefit of CBP
                        employees. The purchase violated CBP's policy against
                        using a purchase card to acquire clothing. The
                        cardholder claimed the rain jackets were personal
                        protective equipment (PPE) for which there is an
                        exception. The cardholder explained that the black
                        rain jackets are given to safety officials on the
                        firing range and allow these officials to be readily
                        identified. However, these officials are issued red
                        shirts for safety and identification purposes and
                        when it rains, the red shirts are covered by the rain
                        jackets. Other individuals who are not safety
                        officials also wear black rain jackets, making these
                        other individuals indistinguishable from safety
                        officials. Therefore, the rain jackets do not serve a
                        safety purpose and are not PPE. The cardholder also
                        admitted that when the rain is heavy, the firing
                        range is normally shut down. Furthermore, the rain
                        jackets were not kept on the firing range but were
                        given to range officials to keep, without any record
                        of who was receiving the rain jackets. While safety
                        of CBP employees should be a primary concern, the
                        facts in this case indicate that cardholder obtained
                        a government discount from the vendor to provide
                        personal clothing to CBP employees and for which no
                        safety related purpose was served.

14DLA provides worldwide logistics support for the missions of the
military departments and the Unified Combatant Commands under conditions
of peace and war. It also provides logistics support to other DOD
components and certain federal agencies such as DHS.

Abusive and Questionable Transactions

We identified numerous examples of abusive and questionable items acquired
with DHS purchase cards during our testing. We defined abusive
transactions as those that were authorized, but the items purchased were
at an excessive cost (unreasonable pricing) or were not needed by the
government, or both. As an organization whose mandate is to deal with
security and emergency needs, DHS and its employees should adopt prudent
purchasing practices by implementing existing agreements with vendors to
allow favorable pricing even in times of disaster. Questionable
transactions are defined as transactions that appear to be improper or
abusive but for which there is insufficient documentation on which to
conclude.15

Obtaining reasonable pricing for goods or services includes not only
avoiding excessive pricing, but also includes taking reasonable steps to
obtain appropriate discounts. However, vendors often will not provide
discounts unless the government cardholder asks if a discount is
available. We found instances where it was likely a vendor discount could
have been obtained but was not. However, we noted several occasions where
cardholders obtained a point-of-sale discount. For example, an ICE
cardholder obtained 60 sleeping bags and cots from Cabela's. The sleeping
bags and cots were acquired to meet the needs of those affected by the
hurricanes. The cardholder was able to obtain a 10  percent  point-of-sale
discount from the manager. By asking for the discount, the cardholder was
able to save the taxpayer over $750. In another example, FEMA purchased
over $600,000 in medical equipment and supplies from Medtronic
Physio-Control in three separate transactions in order to supply special
medical response teams after the hurricanes. FEMA obtained almost $18,000
in point-of-sale discounts from this vendor.

15GAO's Guide for Evaluating and Testing Controls Over Sensitive Payments
(GAO/AFMD-8.1.2, May 1993) states: "Abuse is distinct from illegal acts
(non-compliance). When abuse occurs, no law or regulation is violated.
Rather, abuse occurs when the conduct of a government organization,
program, activity, or function falls short of societal expectations of
prudent behavior."

In order to obtain the best pricing, it is often beneficial to make
arrangements with vendors in advance of potential spikes in demand for
goods or services. We noted numerous instances where we believe better
pricing could have been obtained had various DHS organizational elements
made arrangements with vendors in advance of the devastating hurricanes
along the Gulf Region. If DHS does not anticipate its needs and get
prearranged pricing from quality vendors, then it must often scramble to
acquire the necessary goods and services during a crisis. Frequently, the
emphasis shifts from efficiency to expediency when acquiring goods and
services during a crisis, resulting in additional and unnecessary costs to
the government. Table 6 lists some examples of abusive and questionable
purchases that we identified at DHS.

Table 6: Abusive and Questionable Transactions

               Item        Organizational                Nature of            
Transaction purchased   element        Vendor         transaction   Amount
             1 Shower      CBP            MD Descant     Abusive      $71,000 
               units                                                  
             2 Dog booties FEMA           Backcountry    Abusive      $68,000 
                                          Gear Limited                
             3 GPS units   FEMA           Best Buy       Abusive      $18,000 
             4 63" Plasma  FEMA           Jan-Tronics    Abusive       $8,000 
               screen                                                 
               television                                             
             5 iPod Nanos  USSS           Apple          Questionable  $7,000 
               and                                                    
               Shuffles                                               
             6 Training    CBP            Sea Palms Golf Abusive       $2,000 
               seminar                    and Tennis                  
                                          Resort                      
             7 Leadership  CIS            Hyatt Golf     Abusive       $2,000 
               conference                 Resort, Spa &               
                                          Marina                      
             8 Beer        Coast Guard    Beer and Wine  Abusive         $230 
               brewing kit                Hobby                       

Source: GAO and DHS OIG investigations of DHS data.

The following provides further details on a number of transactions listed
above:

           o  The first case involved a CBP cardholder who paid for three
           6-person portable shower units when less expensive units could
           have been rented. In this instance, CBP represented to us that
           they did not have time to obtain competing bids because of the
           need to prepare immediate shower units  for CBP personnel in the
           Gulf Region responding to hurricanes. However, because CBP did not
           specify the need for hot water and sinks, the portable shower
           units did not come with this capability. In contrast, a vendor in
           GSA Advantage could have rented two prefabricated 16-person mobile
           shower units with hot water capabilities and had them delivered in
           less time than it took the original vendor to deliver. The cost
           from the GSA Advantage vendor would have been approximately
           $45,000, or 36  percent  less than the nearly $71,000 CBP paid.

           o  In case 2, a FEMA cardholder unnecessarily purchased over 2,000
           sets of canine booties at a cost exceeding $68,000. Canine booties
           are used to protect the dog's paws in a debris laden environment.
           According to FEMA, after the terrorist attacks of 9-11 many
           donated dog booties were placed in storage facilities and were
           mistakenly placed on emergency provisioning lists. When the
           hurricanes struck the Gulf Region, FEMA acquired items on the
           provisioning lists including thousands of additional dog booties
           unnecessarily. However, we were informed by FEMA that since most
           of the search and rescue dogs in the Gulf Region were not
           accustomed to wearing booties, the canine booties continue to sit
           unused in FEMA storage facilities. The error of placing the
           booties on the emergency provisioning list resulted in a $68,000
           unnecessary expenditure.

           o  In case 4, a FEMA cardholder abused a purchase card to acquire
           a Samsung 63 inch plasma screen television on September 16, 2005
           for almost $8,000, lacking a government need. The plasma screen,
           which was not timely recorded in an accountable property system,
           was still unused and in its original box six months after its
           purchase. The fact that it was unused after such an extended
           period of time casts significant doubt as to whether there was a
           legitimate government need for acquiring the 63 inch plasma screen
           in the first place. In addition, as the cost of high-end
           electronic equipment can fall dramatically in a short period of
           time, we found that the same 63 inch plasma screen television
           could have been obtained for $1,200 less at the time we observed
           it in the box at FEMA. Considering the plasma screen was bought at
           the end of the fiscal year and that it was unused 6 months after
           the purchase, a concern arises regarding whether the purchase was
           made to use up remaining funds at the end of the fiscal year.

           o  In case 5, the U.S. Secret Service (USSS) spent over $7,000 to
           acquire 12 Apple iPod Nanos and 42 iPod Shuffles. This purchase is
           questionable because iPods are generally used to store and play
           music-not a legitimate government need. In addition  the USSS did
           not enter the iPod shuffles into its accountable property system.
           After we questioned the validity of the purchase, USSS provided a
           memorandum justifying the purchase on the basis that the iPods
           were used for training and data storage. However, we found that
           other memory devices existed that were not primarily designed to
           play music but would have satisfied the need for data storage.
           USSS did not provide evidence to support its claim that the iPods
           were used in training. Further, USSS represented to us that they
           did not track the iPod shuffles because the iPods cost less than
           the $300 threshold required for accountable property. This is
           inconsistent with established DHS policy that requires all memory
           devices be tracked in a property system. Without appropriate
           substantiation, we could not obtain assurance that the iPods were
           used for legitimate government needs.

           o  Case 6 involved the abusive use of government funds to hold a
           CBP training seminar at the Sea Palms Resort at Saint Simons
           Island in Georgia. We identified a purchase card transaction
           related to this event for about $2,000 and performed additional
           audit work to determine the basis for selecting the resort. We
           found that the golf and tennis resort was used to train 32 newly
           hired attorneys when the nearby Federal Law Enforcement Training
           Center (FLETC) in Glynco, Georgia, could have been used with a
           savings of approximately $10,000. According to the CBP officials
           we interviewed, CBP had determined that the FLETC facility could
           not accommodate their training. However, CBP could not produce any
           documentation such as a request form indicating that CBP had
           contacted FLETC for determining availability. Further, a FLETC
           official in charge of scheduling informed us that FLETC did not
           receive a request from CBP and that had CBP given FLETC sufficient
           notice, it was more than likely that FLETC would have been able to
           accommodate CBP. While training is a necessary investment in human
           capital, cardholders and government officials need to be careful
           stewards of taxpayer's funds. By not contacting FLETC and instead
           using the resort for training, CBP failed to act prudently with
           taxpayer dollars.

           o  In case 7, the U.S. Citizenship and Immigration Services (CIS)
           held its annual leadership conference at the Hyatt Regency
           Chesapeake Bay Golf Resort, Spa and Marina in Cambridge, MD, which
           cost the government about $40,000 in additional travel expenses.
           We initially selected this transaction because a CIS cardholder
           had paid the resort about $2,300 for materials used in a team
           building exercise. Irrespective of the merits of the team building
           exercise expenses, holding the annual leadership conference about
           90 miles outside Washington, D.C. resulted in roughly 50
           Washington, D.C. based staff incurring travel expenses for
           lodging, meals, and other expenses. About 110 CIS employees
           attended the July 2005 conference. According to a March 25, 2005,
           CIS memorandum documenting the CIS conference planning efforts,
           CIS officials only contacted resorts outside the Washington, D.C.
           normal commuting area. If CIS had held the annual conference
           within the Washington, D.C. commuting area, the 50 of the
           employees would not have incurred travel expenses and the savings
           to the government would have been about $40,000.

           o  Case 8 involved a Coast Guard cardholder who abused his
           purchase card to obtain beer brewing equipment and ingredients,
           and wasted government resources by brewing alcohol while on duty.
           The cardholder, whose duties involved planning, procuring, and
           organizing social functions for the Coast Guard Academy, purchased
           a beer brewing kit for about $230 and additional ingredients.
           According to the Coast Guard, the beer kit provided the Academy
           with both a cost savings and a quality product for official
           parties attended by cadets, dignitaries, and other guests of the
           Superintendent. The Coast Guard also explained that the Coast
           Guard beer, with the custom Coast Guard themed labels, functioned
           as an "ice-breaker" for discussion at these official parties.

           Our subsequent work indicated that the Academy achieved no cost
           savings by brewing their own beer. From early August 2005 through
           March 2006, the Academy used an additional $800 on beer brewing
           ingredients16 to brew 532 bottles of beer, or 12 batches. The
           Coast Guard estimated that it took two hours to brew, bottle, and
           label each batch of Coast Guard beer. Given a conservative
           approximate hourly labor rate of $15, it would cost over $13 for a
           six-pack of Coast Guard beer-considering the variable costs alone
           (ingredients and labor). The Coast Guard provided GAO with a
           detailed 5-year analysis showing a cost savings but the analysis
           failed to account for any labor costs. Absent the purported cost
           savings and the dubious need for the government to brew its own
           alcohol, the purchase of the kit and the beer brewing activity
           itself fall short of prudent use of taxpayer dollars and therefore
           exemplify purchase card abuse.

Concluding Observations

The purchase card has proven to be a valuable tool that provides the
government flexibility in making purchases and saves money on transaction
processing. However, putting purchasing decisions in the hands of about
9,000 DHS employees with ineffective management oversight and control has
allowed  potentially fraudulent, improper, and abusive or questionable
usage of these purchase cards  to go undetected. Some of the examples
highlighted in this testimony related to Hurricanes Katrina and Rita show
that the government is particularly vulnerable when purchase cards are
used during times of disaster. Taking immediate action to improve the
processes and internal controls over its purchase card program will help
DHS maximize the value and benefit of the purchase card and provide
reasonable assurance that fraud, waste, and abuse are minimized.

16According to Coast Guard finance personnel, funds from the Coast Guard
Foundation, Inc. were used to purchase the beer brewing ingredients. The
Foundation is a public nonprofit organization that provides annual funding
to support the men and women of the U.S. Coast Guard and Coast Guard
Academy. The Foundation's fundraising efforts address needs not met
through traditional governmental and military funding sources. The
Foundation supports such activities as a holiday calling-card program,
capital improvements, and education grants. Although the ingredients were
not purchased with appropriated funds, the resources provided by the
Foundation could have been spent for other purposes, for example
educational grants, had they not been used to brew beer.

_________________________________________________

Madam Chairman and Members of the Committee, this concludes our statement.
We would be pleased to answer any questions that you or other members of
the committee may have at this time.

                          Contacts and Acknowledgments

For further information about this testimony, please contact Gregory D.
Kutz at (202) 512-7455 or [email protected] at GAO or Matt A. Jadacki at (202)
254-5477 or [email protected] at DHS OIG. GAO individuals making key
contributions to this testimony included James Ashley, Kord Basnight,
James Berry, Beverly Burke, Jennifer Costello, Danielle Free, Christine
Hodakievic, Ryan Holden, Aaron Holling, John Kelly, Tram Le, John Ledford,
Barbara Lewis, Jenny Li, John Ryan, Robert Sharpe, Bethany Smith,
Tuyet-Quan Thai, Patrick Tobo, and Michael Zola. DHS OIG individuals
making key contributions to this testimony included Modupe Akinsika, Andre
Marseille, and Frank Parrott.

Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this testimony.

                   Appendix I: Prior GAO Purchase Card Audits

VHA Purchase Cards: Internal Controls Over the Purchase Card Program Need
           Improvement. GAO-04-737 . Washington, D.C.: June 7, 2004.

Purchase Cards: Increased Management Oversight and Control Could Save
Hundreds of Millions of Dollars. GAO-04-717T . Washington, D.C.: April 28,
2004.

Forest Service Purchase Cards: Internal Control Weaknesses Resulted in
Instances of Improper, Wasteful, and Questionable Purchases. GAO-03-786 .
Washington, D.C.: August 11, 2003.

HUD Purchase Cards: Poor Internal Controls Resulted in Improper and
Questionable Purchases. GAO-03-489 . Washington, D.C.: April 11, 2003.

Purchase Cards: Steps Taken to Improve DOD Program Management, but Actions
Needed to Address Misuse. GAO-04-156 . Washington, D.C.: December 2, 2003.

FAA Purchase Cards: Weak Controls Resulted in Instances of Improper and
Wasteful Purchases and Missing Assets. GAO-03-405 . Washington, D.C.:
March 21, 2003.

Purchase Cards: Control Weaknesses Leave the Air Force Vulnerable to
Fraud, Waste, and Abuse. GAO-03-292 . Washington, D.C.: December 20, 2002.

Purchase Cards: Navy is Vulnerable to Fraud and Abuse but Is Taking Action
to Resolve Control Weaknesses. GAO-02-1041 . Washington, D.C.: September
27, 2002.

Government Purchase Cards: Control Weaknesses Expose Agencies to Fraud and
Abuse. GAO-02-676T . Washington, D.C.: May 1, 2002.

Purchase Cards: Control Weaknesses Leave Army Vulnerable to Fraud, Waste,
and Abuse. GAO-02-732 . Washington, D.C.: June 27, 2002.

Purchase Cards: Control Weaknesses Leave Two Navy Units Vulnerable to
Fraud and Abuse. GAO-02-32 . Washington, D.C.: November 30, 2001.

                            Appendix II: Background

The Department of Homeland Security's (DHS) purchase card program is part of the
    General Services Administration's (GSA) Smart Pay(R) program, which was
  established to streamline federal agency acquisition processes for eligible
  purchases by providing a low-cost, efficient vehicle for obtaining goods and
    services directly from vendors. Under the GSA blanket contract, DHS has
           contracted with U.S. Bank for its purchase card services.

To assist DHS organizational elements in carrying out their various
missions, such as that of the U.S. Coast Guard (Coast Guard),17 U.S.
Customs and Border Protection (CBP),18 Transportation Security
Administration (TSA),19 and the Federal Emergency Management Agency
(FEMA),20 DHS reported that it used purchase cards for more than 1.1
million transactions valued at more than $420 million in fiscal year 2005.
According to DHS data, the purchase card activity for the Coast Guard,
CBP, TSA, and FEMA accounted for $364 million or about 86 percent of the
more than $420 million in fiscal year 2005 DHS purchase card payments.
Table 1 identifies the number and dollar amount of purchase card
transactions during fiscal year 2005 for these and other DHS components.

17The Coast Guard's mission is to protect the public, the environment, and
U.S. economic interest in the nation's ports and waterways, along the
coast, on international waters, or in any maritime region as required to
support national security.

18CBP is responsible for protecting U.S. borders in order to prevent
terrorists and terrorists' weapons from entering the U.S. while
facilitating the flow of legitimate trade and travel.

19TSA's mission is to protect the nation's transportation systems to
ensure freedom of movement for people and commerce.

20FEMA is responsible for preparing the nation for hazards, managing
federal responses and recovery efforts following any national incidents or
disasters, and administering the National Flood Insurance Program.

Table 7: Number and Amount of Fiscal Year 2005 Purchase Card Transactions

                                                                Percentage of 
                           Number of            Amount of                     
                          transactions         transactions     DHS purchase  
                                                                              
DHS Component         (in thousands)       (in millions)     card payments 
Coast Guard                         568                 $227           54% 
CBP                                 295                   66            16 
TSA                                  74                   38             9 
FEMA                                 31                   32             8 
Other DHS                                                                  
components                          178                   60            13
Total                             1,146                 $423          100% 

Source: GAO analysis of U.S. Coast Guard Finance Center's reports.

Management of the DHS Purchase Card Program

DHS's Purchase Card Program Management Office, which is within the office
of the Under Secretary for Management-Chief Financial Officer (CFO), is
responsible for the overall management of the DHS purchase card program.
In carrying out its management responsibilities, the Purchase Card Program
Management Office has a directive for use by all DHS components on the
Government Purchase Card Program. In addition, the Office of the Chief
Financial Officer developed a draft manual, which has been in draft since
March 8, 2004. This draft manual describes the various roles and
responsibilities of key program management functions and the overall
business process for carrying out the purchase card program. Regarding key
management functions, the Agency Program Coordinator has responsibility
for managing the overall program and working through the CFO and Chief
Procurement Officer on purchase card issues; developing, implementing, and
updating the program policies, procedures, and guidelines; and ensuring
the implementation of and compliance with adequate internal controls in
the management of the program, as well as serve as the communication
liaison between DHS and the U.S. Bank. Further, within each DHS component,
an Organizational Program Coordinator(s) is designated to oversee the
purchase card program within that component (e.g., Coast Guard). Their
responsibilities include controlling issuance, revocation, and the closing
of purchase cards; providing, monitoring, and maintaining training prior
to issuance of the purchase card and annual refresher training for all
cardholders and approving officials; and managing and conducting oversight
of the program (includes span of control and ongoing and annual reviews to
ensure compliance with the program requirements). Figure 3 illustrates
DHS's business process for carrying out the purchase card program.

Figure 3: DHS Purchase Card Program Flowchart

Coast Guard Is a Steward for DHS's Purchase Card Program

Since February 2004, the U.S. Coast Guard Finance Center (Finance Center)
has been operating under a Memorandum of Understanding with DHS to be the
servicing agent providing centralized invoicing and payment of all DHS
purchase card activity. The Finance Center has developed and implemented a
system that supports the receipt of daily invoices from U.S. Bank for all
DHS components, supports the payment of those invoices within one business
day of receipt, and provides transmission of an electronic file containing
transaction data to each component's accounting system. The intent of the
daily payment is to maximize the performance rebates earned by the
purchase card program.

On a daily basis, U.S. Bank's Customer Automation and Reporting
Environment generates an invoice file containing transaction level data
for all DHS purchase card activity posted on the previous day and submits
the file to the Finance Center, where the file is loaded into the Finance
Center's Consolidated Billing System. Among other things, this system is
used to process all purchase card transactions and provide data to
participating DHS components. Cardholders are responsible for identifying
any discrepancies on their billing statements and contacting the merchant
to resolve any disputed transactions. If the cardholder is unable to
resolve the dispute with the merchant, he or she has up to 60 days from
the statement date to file a dispute form with U.S. Bank and request a
credit. Approving officials are responsible for (1) receiving and
reviewing their assigned cardholders' monthly statement to ensure all
charges were allowable and conducted within acquisition guidelines, (2)
determining that the goods or services were received, and documentation is
complete, and (3) verifying that the cardholder follows through in
resolving any disputed transactions with the merchant and U.S. Bank. An
approving official's certification of the monthly billing statement cannot
occur until the cardholder, or in some cases, the approving official,
performs and completes a reconciliation of all charges on the statement.

                      Appendix III: Scope and Methodology

To assess whether DHS's internal control policies and procedures are
adequately designed to provide reasonable assurance that fraud, waste, and
abuse are minimized and are operating effectively to prevent or detect
potentially fraudulent, abusive, and improper purchase card use, we
reviewed and tested key purchase card controls over purchase card use by
DHS's major organizational elements.21 Our review of purchase card
controls covered:

           o  DHS's and its organizational elements' overall management
           control environment, including (1) management's role in
           establishing needed controls, (2) the numbers of cardholders,
           cardholder accounts, approving/billing officials, and program
           coordinators, (3) training provided for cardholders, (4)
           monitoring and audit of purchase card activity, and (5)
           effectiveness of purchase card infrastructure;

           o  attribute tests on a statistical sample of key controls over
           purchase card transactions made during the period from June 13,
           2005 through November 12, 2005, including (1) proper written
           preauthorization of purchases, (2) maintenance of sales
           documentation, (3) documented performance of independent
           confirmation that items or services paid for with the purchase
           card were received, and (4) documentation that cardholders gave
           priority to designated sources; and

           o  data mining of the population of transactions made during the
           above mentioned test period to identify potentially fraudulent,
           improper, and abusive or questionable purchase card transactions.

21Major organizational elements include the U.S. Secret Service, U.S.
Coast Guard, Transportation Security Administration, U.S. Customs and
Border Protection, U.S. Citizenship and Immigration Services, U.S.
Immigration and Customs Enforcement, Federal Emergency Management Agency,
Federal Law Enforcement Training Center, and other headquarters-level
entities.

Departmental and Organizational Element Control Environment

To assess the overall management control environment for DHS's purchase
card program, we obtained an understanding of the processes utilized by
DHS and its major organizational elements by interviewing officials
involved in overseeing and managing the various purchase card activities,
analyzing each entity's control procedures and processes, and performing
walk-throughs of the detailed processes utilized at the major
organizational elements to request, approve/authorize, make, document, and
verify/certify transactions using purchase cards. We also analyzed the
database of active cardholders to assess the ratios of approving/billing
officials to assigned cardholders and cardholder accounts and assessed
cardholder training. For these tests, we utilized the active member
cardholder database provided by U.S. Bank covering the period from June
2005 through December 2005. We also visited and interviewed officials of
the Coast Guard's Finance Center, Chesapeake, Virginia, DHS's purchase
card paying agent, to discuss the payment and management oversight
processes utilized to ensure the timely processing of payments and the
reasonableness and appropriateness of transactions.

Statistical Sample of Internal Control Procedures

We obtained and reviewed the U.S. Bank-provided database of purchase card
transactions covering the period from June 13, 2005, through November 12,
2005, and analyzed a random probability sample of these transactions to
assess compliance with key internal controls. The sample design was a
simple random probability sample of 96 transactions. The sample size was
calculated to achieve a precision of any estimated internal control error
rate for the category (except accountable property) to be +/- 10
percentage points or less. With this probability sample, each transaction
in the population had a known, nonzero probability of being selected. Each
selected transaction was subsequently weighted in the analysis to account
statistically for all the transactions in the population, including those
not selected.

Because we selected a sample of transactions, our results are estimates of
a population of transactions and thus are subject to sample errors that
are associated with samples of this size and type. Our confidence in the
precision of the results from this sample is expressed in 95-percent
confidence intervals. The 95-percent confidence intervals are expected to
include the actual results in 95 percent of the samples of this type. We
calculated confidence intervals for this sample based on methods that are
appropriate for a simple random probability sample.

To test compliance with internal controls, we applied procedures in GAO's
Audit Guide: Auditing and Investigating the Internal Control of Government
Purchase Card Programs (GAO-04-87G, Washington, D.C.: November 2003) and
internal control standards included in the draft manual dated March 8,
2004. We utilized DHS's draft manual because we found that DHS had not
issued an official standardized set of purchase card policies and
procedures since the department was established by the Homeland Security
Act in November 2002. Further, our review of the draft procedures showed
that the procedures contained a reasonable set of standards that were
generally consistent with good purchase card operating policies and
procedures utilized by other governmental entities we had audited and
covered in GAO's Audit Guide. We also reviewed (1) OMB Circular No. A-123,
(2) Treasury Financial Manual Vol. 1 Part 4-4500 "Government Purchase
Cards," (3) FAR, (4) organizational policies, including draft
organizational policies, and (5) GAO's Standards for Internal Controls.

Data Mining

In addition to selecting statistically projectable samples of transactions
to test specific internal controls, we also made nonrepresentative
selections of transactions from these entities. We conducted separate
analysis of transactions that appeared on the surface to be potentially
fraudulent, improper, and abusive or questionable.

Our data mining for transactions was limited in scope. For this review, we
scanned the population of transactions for vendor names and merchant codes
that are likely to sell goods or services that are personal in nature,
listed on DHS's restricted/prohibited lists, or are otherwise
questionable. Our expectation was that transactions with certain vendors
had a more likely chance of being fraudulent, improper, and abusive or
questionable. We reviewed and made inquiries about 200 transactions with
vendors that sold such items as sporting goods, sporting event tickets,
groceries, clothing, jewelry, alcohol, entertainment, or were third-party
payers, such as PayPal. Our inquiries also identified some purchases that
turned out to be legitimate in terms of need but could have been obtained
from vendors at significant price savings. We found other purchases were
made during conditions of exigency that under normal operating conditions
would not or should not have been made. While we identified, and performed
limited inquiries about, some potentially fraudulent, improper, and
abusive or questionable transactions, our work was not designed to
identify, and we cannot determine, the extent of fraudulent, improper, and
abusive or questionable transactions.

We briefed DHS on the details of our work, including our scope, and
methodology and our findings. We conducted our audit work from October
2005 through June 2006 in accordance with U.S. generally accepted
government auditing standards, and we performed our investigative work in
accordance with standards prescribed by the President's Council on
Integrity and Efficiency.

(192211)
*** End of document. ***