Internal Audit Review
Oregon Department of Education
Small Purchase Order Transaction System
(SPOTS) Card Program
(Amended Report)
Report Released: April 1, 2009
Management Response: July 23, 2009
John Hutzler, JD, CIA, CGAP, CCSA
Chief Audit Executive
Oregon Department of Education
i
Internal Audit Review
Oregon Department of Education
Small Purchase Order Transaction System
(SPOTS) Card Program
Table of Contents
Executive Summary 1
Background 2
Objectives, Scope, and Methodology 4
Audit Results 5
Oregon Accounting Manual (OAM) Compliance Issues 5
Segregation of Duties Issues 5
Training Issues 5
Other OAM Compliance Issues 6
Compliance with ODE SPOTS Policy and Procedures 8
Timeliness of processes 10
Other matters 11
Follow-Up on 2005 SPOTS Audit 11
Management Response…………………………………………………………………..13
i
Internal Audit Review
Oregon Department of Education
Small Purchase Order Transaction System
(SPOTS) Card Program
Executive Summary
Purchasing cards permit authorized employees to purchase products or services directly from vendors without having to go through the traditional paper-based procurement-to-payment process. Stringent controls over purchasing card programs are necessary to ensure charges are reasonable, in accordance with organizational policies, properly recorded, and made by a valid cardholder.
ODE first began purchasing with SPOTS cards in June 2004. The primary objectives of this review were to assess the compliance of the ODE SPOTS Card Program and purchases with the Oregon Accounting Manual (OAM) and ODE Policy and Procedure, to help ensure good controls are in place, to identify program strengths and weaknesses, and to follow up on findings and recommendations from a previous audit. The scope of the review was limited to fiscal year 2007-2008.
I identified instances of non-compliance with OAM and ODE policies and procedures, several control weaknesses that could result in further non-compliance, and opportunities to improve the efficiency and timeliness of program monitoring and accounting practices.
To address these conditions I made a number of recommendations. In brief, I recommended that management:
· Ensure full compliance with state and agency policies and procedures for the SPOTS Card Program.
· Improve the timeliness of SPOTS processes for reconciliation, payment, and accounting.
· Make more effective use of monitoring reports available through the bank.
As noted in the report, management has already implemented several of the recommendations. I requested a management response to the recommendations. However, when management did not respond within the timeframe established by ODE Policy and Procedure, I released the report. Now that management has responded, I am releasing an amended report that includes the management response.
Internal Audit Review
Oregon Department of Education
Small Purchase Order Transaction System
(SPOTS) Card Program
Background
Purchasing cards permit authorized employees to purchase products or services directly from vendors without having to go through the traditional paper-based procurement-to-payment process. Widely used by government agencies, educational institutions and corporations, purchasing card programs can reduce overhead costs by eliminating the need for individual purchase orders or contracts for each transaction, particularly for low-value purchases.
In 2003, the U.S. federal purchasing card program accounted for $16 billion in government expenditures. Local government, public and private universities, school districts and private industry also increasingly uses purchasing cards. Total purchasing card spending in North America is projected to reach $218 billion in 2012.
The need to increase operational efficiencies and cut costs is fueling the expanded use of purchasing cards. According to the 2007 Purchasing Card Benchmark Report, purchasing card programs can cut up to eight days off purchasing cycle time, reduce the number of suppliers in AP databases by more than 30 percent, and reduce the staffing required for AP and procurement functions. In 2002, the U.S. General Services Administration (GSA) estimated the federal government saved $1.2 billion annually by using purchasing cards. The 2007 Purchasing Card Benchmark Survey estimated annual transactions cost saving of more than $34 billion within North America.
While purchasing cards have been in use for some time, the number of cardholders, the number and the size of transactions, and the kinds of products and services purchased have changed. Many government departments and businesses have increased spending limits and allowed non-supervisor personnel to use purchasing cards. An organization might have set a $1,000 limit on cards several years ago. To allow for purchases such as software and computer equipment, that limit may now be $5,000 or more.
ODE first began purchasing with SPOTS cards in June 2004. The ODE SPOTS Card Program has grown substantially over the years. By February 25, 2005, there were 16 open SPOTS accounts in ODE, and as of August 26, 2008, there were 29 open SPOTS Card accounts. Of those 29 accounts, thirteen cardholders were Oregon School for the Deaf (OSD) employees, seven were Oregon School for the Blind (OSB) employees, four were in Procurement Services, and five were in other units within ODE.
In the first eight months of the program, SPOTS card users made an average of 100 charges per month, and the average transaction was about $115. Between July 1, 2007 and June 30, 2007 (FY08), ODE employees completed about 175 SPOTS transactions per month, and the average transaction had grown to about $175. In FY08 ODE employees made 2123 purchases with SPOTS cards, totaling nearly $375,000.
Monthly limits for cardholders in Procurement Services increased from $5,000 at the end of 2004 to $7500 in FY08. Monthly limits for several other cardholders increased from $1,000 to $5,000. The combined monthly credit limit for all cardholders grew from $41,700 as of 12/31/04 to more than $93,000 as of 12/31/07.
Increased use of purchasing cards can create efficiencies, including quicker receipt of goods, reduced transaction costs, greater buying power, opportunities to redeploy staff to higher-value activities, and others. With the success of these programs, however, come significant challenges.
In a typical purchase-to-payment process, management can ensure the validity of the purchase far in advance of receiving an invoice. Many organizations accomplish this during the requisition or purchase order approval process. Simple controls such as ensuring that someone other than the buyer authorizes purchases help to maintain purchase order validity.
Although they provide savings and efficiencies, purchasing card programs increase risks by allowing the same person to order, pay for, and receive goods or services, providing an opportunity to bypass standard purchase-to-payment cycle controls or commit fraud. Cardholders can circumvent internal controls by splitting purchases or sharing cards to bypass business rules governing purchase limits. Non-cardholder fraud can also occur, where an unauthorized person uses the card or cardholder data.
Stringent controls over purchasing card programs are necessary to ensure charges are reasonable, in accordance with organizational policies, properly recorded, and made by a valid cardholder. To mitigate business risk, management needs well-formulated strategies to ensure that comprehensive controls are in place and operating effectively, and that appropriate and prompt action follows any breach of controls. Effective purchase card programs depend on the proper training of users to manage their card use.
Objectives, Scope, and Methodology
This review had five primary objectives as follows:
· Assess the compliance of the ODE SPOTS Card Program with the requirements of the Oregon Accounting Manual and ODE SPOTS Policy and Procedure
· Gain a reasonable level of assurance that SPOTS card purchases comply with the agency’s internal policies and guidelines and the Oregon Accounting Manual.
· Help ensure good controls are in place over SPOTS card practices to protect the agency’s assets;
· Identify strengths, weaknesses and areas that need improvement within the SPOTS card program; and
· Follow up on audit findings or recommendations from the 2005 internal audit of the ODE SPOTS card program.
The scope of the review was limited to FY2007-08.
To address the objectives I reviewed audit reports and professional literature on purchasing card programs. I also reviewed OAM SPOTS Policy and Procedure, ODE SPOTS Policy and Procedure, SPOTS card records and reports prepared or maintained by the bank, the cardholder, the SPOTS Coordinator, and Accounting Services. I interviewed cardholders and employees in Procurement Services and Accounting Services responsible for SPOTS Card processes.
I also ran tests to identify potentially improper transactions, selected a random sample of transactions, reviewed the supporting documentation for those transactions, and followed-up with cardholders, supervisors and vendors, as needed.
This review was not included in the 2008 Audit Plan as initially approved by the ODE Audit Committee. It was conducted as a Management Request item with audit resources set aside in the approved audit plan for that purpose and additional resources approved by the Audit Committee as a change to the audit plan.
The ODE Internal Audit Charter establishes the intent of the function to comply with the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. The department intends to have an external assessment of the internal audit function performed in 2009.
Generally accepted government audit standards require that an audit be performed to obtain sufficient appropriate evidence to provide a reasonable basis for the audit findings and conclusions based on the audit objectives. IIA Standards require that appropriate analyses and evaluations support audit conclusions and results. This report was independently reviewed to ensure these standards were satisfied.
I requested a management response to the recommendations and offered sample language and assistance in preparing a response. However, management did not respond within the timeframe established by ODE Policy and Procedure. Since audit standards require timely reporting of engagement results, I am providing the report to the Audit Committee without a management response. When I receive management’s response, I will append it to the report and release an amended report.
Audit Results
I identified several instances of non-compliance with OAM Policy and Procedure for SPOTS Card Programs, several instances of non-compliance with ODE Policy and Procedure for the SPOTS Card Program, several control weaknesses that could result in further non-compliance, and opportunities to improve the efficiency and timeliness of program monitoring and accounting practices.
To address these conditions I made a number of recommendations. In brief, I recommended that management:
· Ensure full compliance with state and agency policies and procedures for the SPOTS Card Program.
· Improve the timeliness of SPOTS processes for reconciliation, payment, and accounting.
· Make more effective use of monitoring reports available through the bank.
OAM Compliance Issues
Segregation of Duties Issues
The Oregon Accounting Manual provides, “There should … be segregation of duties between the individual making the purchase and the individual responsible for documenting receipt and acceptance of goods and services acquired by using the SPOTS card.” ODE SPOTS Card Policy does not require independent verification of receipt of goods or services. This is a repeat of a finding from the prior audit. Inadequate segregation of duties increases the risk that an inappropriate or fraudulent transaction could go undetected.
Recommendation 1. Provide for independent verification of the receipt and acceptance of goods and services acquired with a SPOTS card. During the course of this review, management adopted a revised SPOTS Policy and Procedure requiring independent verification of receipt.
OAM and ODE SPOTS Policy provides, “To ensure proper segregation of duties, the Approving Officer should not have update access to the Bank’s on-line system.” The original ODE SPOTS Coordinator now serves as the acting Approving Officer. With the exception of the auditor added for this review, the US Bank Online Access system identifies this individual as the only ODE user. The new SPOTS Coordinator reported that she had changed the password on that user account so that she is now the only ODE employee accessing the system under her predecessor’s user name.
Recommendation 2. The new SPOTS Coordinator should establish a user account and close the account of the Acting Approving Officer.
Training Issues
The Statewide Financial Management System (SFMS) section within the State Controller’s Division (SCD) provides agencies with an approved training program for SPOTS cardholders. OAM SPOTS Procedure provides, “If an agency would like to follow a different program, an agency-specific training program must be submitted to the SFMS section for approval.” ODE does not use the SFMS supplied SPOTS Card Training Program. ODE did not submit its current SPOTS Card Training Program to SFMS for approval.
Recommendation 3. Obtain SFMS approval of the ODE SPOTS Card Training Program.
The OAM requires that SPOTS cardholders receive initial training and refresher training biennially. The State Controller’s Division requires that agencies suspend the SPOTS card for any employee not receiving a refresher course at least biennially. ODE SPOTS Policy requires that cardholders attend training prior to card issuance and again every two years. All active cardholders had received training prior to card issuance. However, 15 of 17 active cardholders whose accounts were over two years old did not received recertification training as required.
Recommendation 4. Ensure cardholders receive training on SPOTS Card use every two years.
OAM SPOTS Procedure provides, “The manager or supervisor approving SPOTS card purchases must be properly trained for this function as well.” ODE supervisors do not receive training on their SPOTS card program responsibilities.
Recommendation 5. Require SPOTS training for the supervisors of SPOTS cardholders.
Other OAM Compliance Issues
The Oregon Accounting Manual provides that an agency must develop agency-specific policies and procedures to implement the SPOTS program. Those policies and procedures should specify that only persons acting within the scope of their authority may authorize and execute SPOTS Card transactions. ODE Policy required that the cardholder’s supervisor review the logs and find that all purchases are funded with the appropriate index numbers. However, it did not specifically require that an individual with expenditure authority over the index charged authorize the transaction. This was a repeat of a prior audit finding.
Recommendation 6. Revise ODE SPOTS Policy to require that an individual with expenditure authority over the Index charged authorize the transaction. During the course of the review, the Deputy Superintendent approved a revised SPOTS Card Policy implementing this recommendation.
The Oregon Accounting Manual requires that an agency’s SPOTS card program undergo an annual compliance review by individuals independent of the agency’s cash receipt and cash disbursement functions. ODE’s SPOTS card program has not had such a review since 2005. ODE SPOTS policy did not assign responsibility for conducting or arranging for the annual compliance review.
Recommendation 7. Assign responsibility for conducting or arranging for the annual review. During the course of the review, the Director of Procurement Services revised the SPOTS Card Policy to address this recommendation.