WIXLIB

The EPA OIG also participated in the CIGIE cross-cutting project to analyzegovernment purchase card transactions. We determined that the CIGIEtransactions and methodology should be incorporated into our audit of theEPA’s purchase card and convenience check program.The CIGIE information technology committee had created weighted algorithms todetermine high-risk transactions. According to CIGIE methodology, the followingcategories of transactions merited closer review: Prohibited Merchant Category Codes.Questionable Merchant Category Codes.Cardholder Exceeded Single-Purchase Limit.Split Transaction.Sales Tax Transaction.Holiday Transaction.Weekend Transaction.Unauthorized Third-Party Merchants.Closed Account Activity.We used these algorithms to identify 23 sample purchase card transactions foreach of the first three quarters of FY 2017.In addition, we judgmentally selected a sample of six convenience checktransactions for review, each of which was 2,000 or above. As a result, the totalsample was 75 transactions involving 70 cardholders and 67 approving officials,as shown in Table 1. The value of all sampled transactions was 58,128.26.Table 1: EPA transactions sampledTransaction typePurchase cardConvenience checkTotal1st Qtr.FY 20172322nd Qtr.FY 20172323rd Qtr.FY 2017232Total69675Source: OIG samples.Each transaction was reviewed for compliance with 16 EPA policy and procedurerequirements.We interviewed staff within the Office of Acquisition Management and obtaineddocuments from PaymentNet (PNET), the EPA’s acquisition system, andcardholder files. After reviewing sampled transaction documents, we emailed andinterviewed cardholders and approving officials as needed. We also followed upon the March 2014 EPA OIG audit recommendations for EPA purchase cards.18-P-02323

ResultsPurchase Card Users Must Comply with Federal and EPARequirementsRelevant law, policy, procedures andguidance include the following: The Government Charge CardAbuse Prevention Act of 2012requires executive agencies to use“effective systems, techniques andtechnologies to prevent or identifyillegal, improper or erroneouspurchases.” The act also requiresagencies to have policies about thenumber of purchase cards.A computer hard drive is a typical item boughtthrough one of the sampled purchase cardtransactions. (EPA OIG photo)Standards for Internal Control inthe Federal Government, GAO-14-704G, September 2014, states that:o Management should use quality information to achieve objectivesand address risks.o Management should identify and respond to risks for achievingobjectives.18-P-0232 Management’s Responsibility for Enterprise Risk Management andInternal Control, OMB Circular A-123, July 15, 2016, notes that it ismanagement’s responsibility to continuously monitor, assess and improveinternal control effectiveness. Further, management should identify andcorrect control deficiencies. Improving the Management of Government Charge Card Programs, OMBCircular A-123, Appendix B, January 15, 2009, prescribes policies andprocedures for internal controls to reduce government charge card risks offraud, waste and error. The EPA Acquisition Guide, Section 13.3.1, Using the Government-wideCommercial Purchase Card, December 2015, establishes policy for usinggovernmentwide commercial purchase cards at the EPA. The guidelinesdetail requirements for approvals, special approvals, closer scrutiny,mandatory sources and strategic sourcing. The EPA’s Agency-Wide Purchase Card Standard Operating ProceduresPayment Net (PNET) Purchase Card Automation Process states thateffective August 1, 2015, all purchase card transactions are required4

to be documented in PNET. Failure to document transactions in PNETresults in suspension of purchase card privileges until PNET is updated.EPA Internal Controls Were Not EffectiveAlthough the EPA implemented numerous internal controls for its purchase cardand convenience check program in response to the 2014 EPA OIG audit report,we found that the agency’s internal controls were not effective to prevent anddetect material illegal, improper or erroneous purchases. Cardholders, approvingofficials, the purchase card team, and program offices were not providingoversight needed to achieve compliance with internal controls.Although cardholders must ensure that each purchase request complies withfederal and agency acquisition and appropriation rules, in most transactions, theydid not. Approving officials are responsible for ensuring compliance with allapplicable regulations, policies, procedures and special approvals; however, theyoften did not. Table 2 notes that each of the 69 purchase card and six conveniencecheck transactions sampled had at least one noncompliance.Table 2: Tested transactionsTypeCompliantPurchase cards0Convenience checks0Noncompliant696Source: OIG analysis of tested transactions.Purchase Card NoncompliancesNumerous noncompliances were noted for each of the FY 2017 quarterstested. Some transactions did not comply with multiple requirements, asnoted in Table 3.Table 3: Purchase card noncompliances for 69 transactions1st Qtr. 2nd Qtr. 3rd Qtr.No.Internal control issuesFY 2017 FY 2017 FY 2017 Total1Not approved by approving official in17191551PNET by the 28th of the month.2All supporting documentation not in15161243PNET as required.3Missing justification for not using891027mandatory sources.4Missing third-party verification for6101026goods received.5Missing required purchase log.10882667818-P-0232Missing/inadequate approving officialapproval prior to purchase.Purchases were not declined forblocked merchant category codes.Third-party payment processingprocedures were not followed.6792275820735155

No.91011Internal control issuesFund availability was not verified priorto placing the order.Sales taxes paid without justification.Other (one or fewer instances perquarter).1st Qtr. 2nd Qtr. 3rd Qtr.FY 2017 FY 2017 FY 2017 Total5711323031238Source: OIG analysis of tested transactions (23 per quarter).The following transactions illustrate a variety of noncompliances: 1,100 transaction to purchase a wireless projector. The cardholderdid not obtain information technology approval for the purchase, didnot justify why mandatory sources were not used, did not documentthat funds were available, did not obtain third-party verification fromthe property utilization officer, and the approving official did notapprove the transaction in PNET by the 28th of the month. 1,347 transaction to purchase computer memory. The cardholderdid not maintain all supporting documentation in PNET, did notdocument justification for not using mandatory sources, paid salestaxes on items purchased and did not document a justification forpaying the sales tax, and did not create and maintain a purchase login PNET. In addition, the approving official did not approve thetransaction in PNET by the 28th of the month. 3,125 transaction to purchase laboratory chemicals. Thecardholder not obtain approval from the approving official prior toplacing the order and did not consolidate two similar transactions thatexceeded the single-purchase limit. 1,442 transaction to purchase editing services. Although restrictedto an acquisition professional, the cardholder—not an acquisitionprofessional—did not comply with mandatory verification steps forvendors using third-party payment processing services. In addition, theapproving official did not approve the transaction in PNET by the 28thof the month.Convenience Check NoncompliancesThe six convenience check transactions that we reviewed had similarnoncompliance issues. For example, in three transactions, funding availabilitywas not verified prior to the cardholder’s involvement. Table 4 notes that infour transactions, not all of the supporting documentation was placed in PNETas required.18-P-02326

Table 4: Convenience check noncompliances for six transactions1st Qtr. 2nd Qtr. 3rd Qtr.No.Internal control issuesFY 2017 FY 2017 FY 2017 Total1Missing approval from an approving official1225prior to purchase.2Not approved by approving official in PNET2215by the 28th of the month.3All supporting documentation not in PNET2114as required.4Fund availability not verified prior to placing1023the order.5Restricted transaction requiring an0022acquisition professional.6Missing third-party verification for goods0101received.7Tax identification not obtained at time of0101purchase.8Missing required purchase log.01019Unable to determine whether training officer0011approval was provided.10Unable to determine total price of purchase.0011Source: OIG analysis of tested transactions (two per quarter).In the case of a 2,000 training transaction,the dates of purchase, funding and trainingapproval were unknown. Also, it was arestricted transaction that should have beenmade by an acquisition professional, and theapproving official approved the transactionlate in PNET.EPA Has Not Implemented ProactiveControlsComputer accessories like this dockingstation are typical items obtained throughone of the sampled purchase cardtransactions. (EPA OIG photo)Despite the EPA’s control efforts, oversightis weak. The purchase card team, which isresponsible for administering the EPApurchase card program, does not have enough staff to implement effectiveproactive and detective controls. Instances of cardholder noncompliance primarilyresulted from ineffective training and/or a lack of monitoring and controlactivities. Also, the EPA does not have a specific policy to address the appropriatenumber of cardholders needed to make purchases in compliance with EPA policyand procedures.The following transactions note specific causes of noncompliance related to thepurchased goods and services.18-P-02327

Goods Computer keyboards. The cardholder did not know that documentinga justification for not using mandatory sources is required.Laboratory supplies. The cardholder did not know that the vendorused a third-party payment processing service when the order wasplaced.Laboratory supplies. The approving official did not think that PNETwas required and did not know about its relevance to the EPA.Remote garage door opener. The cardholder was not aware thatdocumenting a justification for not using a mandatory source isrequired.ServicesIn one training course transaction, the approving official did not approve thetransaction in PNET because the official did not know approval was requiredby the 28th of the month. In another training course transaction, the cardholderwas unaware of the mandatory steps for vendors using third-party paymentprocessing services, including the process for purchase orders. A thirdexample involved a training course where the cardholder did not validate thetransaction in PNET to notify the approving official of the need to review andapprove. A fourth example involved a training course and a conveniencecheck holder who was only involved at the end of the process.Ineffective Oversight Increases Risk and Results in ImproperPurchasesIneffective oversight contributes to risks of illegal, improper and erroneouspurchases. Even though the OIG did not identify any fraudulent or illegaltransactions, all sampled transactions were noncompliant with at least one internalcontrol. Also, none of the 75 reviewed transactions were in complete compliancewith EPA requirements. The totalsample value was 58,128, of which 57,017 represented impropertransactions.We defined improper transactions aspurchases that, although intended forgovernment use, were made contraryto and despite the EPA’s writtenpurchase guide and procedurerequirements. We did not include asimproper transactions, instanceswhere post-purchase administrative18-P-0232Computer keyboards are also common itemsobtained through one of the sampled purchasecard transactions. (EPA OIG photo)8

requirements (such as placing documents in PNET, starting a purchase log orobtaining third-party verification after the purchase) were not met. The followingexamples of noncompliance were deemed improper: Cardholder did not obtain pre-approval.Cardholder did not obtain funding in advance.Cardholder did not use mandatory or strategic sources.Cardholder did not follow steps for third-party processors.Cardholder split transactions that would have exceeded the micropurchase level.Purchase was not made by an acquisition professional cardholder asrequired.Special approval by an Information Management Officer was not obtainedfor information technology equipment purchases.Merchant Category Code blocking did not work.The total dollar amounts for improper purchase card and convenience checktransactions are found in Table 5.Table 5: Dollar value of improper purchases by quarterFY 2017Improper purchasequarteramounts1st Qtr. 16,858.372nd Qtr.18,315.773rd Qtr.21,843.22Total 57,017.36Source: OIG analysis of tested purchase card and conveniencecheck transactions.ConclusionIn response to our discussion document, theEPA agreed with and committed to severalactions summarized in the 11 recommendationsthat accompany this report.The EPA also completed several actions.The agency issued “Flash Notices” duringJanuary 2018 and April 2018 to cardholdersand approving officials to remind them thatthey are required to consider the availableEPA-mandated, strategic-sourcing contractsLaboratory supplies are typical items obtainedand mandatory sources. The agency providedthrough one of the sampled purchase cardtransactions. (EPA OIG photo)training on purchase card requirements to theOffice of Acquisition leadership in April 2018.In addition, the agency developed draft purchase cardtraining slides to address issues identified in this audit.18-P-02329

RecommendationsWe recommend that the Assistant Administrator for Administration andResources Management:1. Conduct an assessment and determine how to enhance controls, reduceconfusion and achieve compliance.2. Determine whether adding language about cardholder and approvingofficial responsibilities to performance standards would be beneficial andimprove compliance.3. Implement preventive controls that would stop transactions that do nothave required approvals or funding.4. Fully implement and increase the use of detective controls, such as regulartransaction reviews for purchase card and convenience check compliance.5. Issue guidance regarding penalties for noncompliance and the process forsuspending cardholder privileges due to noncompliance.6. Revise guidance for strategic and mandatory sources to provide a simpleroad map for programs, cardholders and approving officials.7. Enforce the requirement for convenience check account holders and theirapproving officials to be involved in convenience check transactions fromthe beginning of the order process.8. Provide detailed training on EPA purchase card guidance, policy andexpectations to cardholders and approving officials.9. Take steps to rectify purchases made without prior funding approval.10. Implement a policy regarding the appropriate number and categories ofpurchase cardholders.We recommend that the Deputy Administrator:11. Issue an agencywide memorandum to emphasize compliance with federaland EPA requirements for purchase card and convenience checktransactions.18-P-023210

Agency Comments and OIG EvaluationIn its response to our draft report, the EPA concurred with all 11recommendations and provided acceptable high-level corrective actions withestimated completion dates.In response to Recommendation 1, which recommended that the EPA conduct anassessment and determine how to enhance controls, the Office of Administrationand Resources Management will establish a work group to conduct an assessmentand brainstorm how to enhance controls, reduce confusion and achieve compliance.Within the same timeframe, the EPA will issue a memorandum to resource officialsrequiring them to enhance controls and achieve compliance. The agency’s responsemeets the intent of Recommendation 1.For Recommendation 2, we recommended that the EPA determine whether itwould be beneficial to add language about cardholder and approving officialresponsibilities to performance standards. The EPA referred to existing EPAAcquisition Guide language to include purchase card responsibilities inperformance appraisals. The EPA stated that within 30 days of the response, theagency’s purchase card team will issue a reminder E-Blast notice regarding theexisting EPA Acquisition Guide language. The agency’s response meets the intentof Recommendation 2.In response to Recommendation 3, which recommended that the EPA implementpreventive controls, the EPA stated that the agency will address corrective actionsthrough the work group formed in response to Recommendation 1. With theOffice of Administration and Resources Management’s work group assessment,and the implementation of preventive controls that will stop transactions fromoccurring without required approvals or funding, the planned corrective actionsmeet the intent of the Recommendation 3.For Recommendations 1, 2 and 3, the EPA provided an estimated completion dateof October 5, 2018.In response to Recommendation 4, which recommended that the EPA implemen

and Convenience Check Program Warrants an Audit, was issued February 14, 2017. In that report, we assessed the risk for the EPA's purchase card and convenience check program was high enough to warrant an audit because of noncompliance with existing controls. On October 11, 2017, we notified the EPA that we were beginning the audit.