HomeMy WebLinkAboutAudit Reports - Public - Purchase Card Audit - 8/31/2022
Glendale Budget & Finance
Purchase Card Audit
August 31, 2022
Independent Internal Audit Program
1
Independent Internal Audit Program Purchase Card Audit
Table of Contents
Executive Summary
2
A. Introduction 3
B. Background 3
C. Objective 3
D. Key Outcomes 4
E. Audit Results and Recommendations 4
F. Process Improvement Opportunities 7
G. Audit Scope and Methodology 9
H. Data Reliability 10
2
Independent Internal Audit Program Purchase Card Audit
Executive Summary
As part of our FY 2022 Audit Plan approved by the City Council, City of Glendale's
Independent Internal Audit Program (IIAP) conducted a compliance/performance audit of
the City's Purchase Card (p-card) program and its policies and procedures. The audit was
performed to evaluate compliance with policy and determine where the possibility of
process improvements may exist.
Audit Objectives:
The main objective of this audit was to assess compliance with the Purchase Card Policy
and Procedures Manual (PPPM). In addition, IIAP looked at the overall strengths and
weaknesses of the program and sought possible areas for improvement.
Audit Conclusions:
Overall, compliance with p-card policy is inconsistent. Some departments had more
detailed and consistent documentation than others. A lack of regular refresher training
on p-card procedures for cardholders, approvers, and p-card liaisons likely contributes to
the inconsistencies noted during testing.
Findings:
1. During testing of p-card transactions, numerous exceptions were noted relating to
timeliness of review, insufficient documentation to support the transaction, missing
or incomplete forms, and various other departures from policies & procedures.
2. Annual p-card training is not provided consistently, and there is insufficient record
of training offered and who attended. In addition, the annual review of cardholder
spend and limit analysis was not done in FY22.
Description:
IIAP judgmentally selected a sample of p-card transactions that cut across all City
departments and included multiple cardholders from the same area where possible.
Ultimately, IIAP chose a sample of 706 transactions across 152 statements from 127
cardholders, totaling $346,860.65. As there is no way to download the supporting
documentation (receipts, emails, packing slips, etc.) from MUNIS, each transaction in the
sample was pulled up and reviewed individually. IIAP also examined the p-card files for
a sample of 30 cardholders (cross-section of all departments) to test documentation for
the original p-card application and receipt of the card.
Severity: 1. High 2. High
3
Independent Internal Audit Program Purchase Card Audit
A. Introduction
The City of Glendale's Independent Internal Audit Program (IIAP) conducted a
compliance/performance audit of the City's Purchase Card (p-card) program and its
policies and procedures. The audit was performed to evaluate compliance with policy and
determine where the possibility of process improvements may exist.
B. Background
The City's Purchase Card (p-card) program is intended to provide a simple, efficient, cost-
effective means of purchasing low dollar items (less than $5,000). The program enables
departments to be self-sufficient, eliminates redundant and/or zero value-added
processes, and provides a simple, online means to allocate or distribute charges. It is a
MasterCard credit card which can be used for purchases of all non-restricted commodities
from any supplier that accepts MasterCard as a form of payment. Cardholders can obtain
goods and services in a quick and convenient way within the system's controls. The
ability to purchase via p-card using the phone or internet promotes better service by
obtaining items more rapidly while decreasing the amount of paperwork across ordering
departments, Procurement, and Accounts Payable.
The program began in 2007 when Glendale entered into a participation agreement with
the City of Tucson and their contract with Chase Bank. On April 12, 2022, Glendale City
Council approved a new five-year contract with JPMorganChase (JPMC). The following
month, the p-card program administrator left Procurement/Budget & Finance to work in a
different City department. About 90 days later, the vacant p-card administrator position
was filled near the end of August.
The Glendale p-card program currently has approximately 400 active cards, with annual
spend averaging $6 million over the last three full fiscal years. Over those three years,
the program has generated an annual rebate from the bank averaging nearly $100K,
which goes directly into the City's General Fund. With the new contract in place, the City
will move to JPMC's highest card administration and reporting system (PaymentNet),
switch from MasterCard to Visa, and begin paying vendors (who opt in) via single-use
virtual cards instead of Accounts Payable checks. The latter program will speed up
payments to vendors, reduce overall manual Accounts Payable processing, and increase
the annual rebate to the City.
C. Objective
The main objective of this audit was to assess compliance with the Purchase Card Policy
and Procedures Manual (PPPM). In addition, IIAP looked at the overall strengths and
weaknesses of the program and sought possible areas for improvement.
4
Independent Internal Audit Program Purchase Card Audit
D. Key Outcomes
Overall, compliance with p-card policy is inconsistent. Some departments had more
detailed and consistent documentation than others. A lack of regular refresher training
on p-card procedures for cardholders, approvers, and p-card liaisons likely contributes to
the inconsistencies noted during testing.
E. Audit Results and Recommendations
Findings:
1. During testing of p-card transactions, numerous exceptions were noted relating
to timeliness of review, insufficient documentation to support the transaction,
missing or incomplete forms, and various other departures from policies &
procedures.
Condition
Overall, there is very limited p-card data available from either MUNIS or the currently
utilized JPMC reporting system (Smartdata). Therefore, IIAP requested the assistance
of Procurement's Purchase Card Administrator (position was vacant from late May to late
August) and the IT department for downloads of cardholder data and transactions from
both systems. A list of all cardholders, along with their respective approvers and liaisons,
was obtained from the former Purchase Card Administrator (PCA) as of 4/1/2022. As of
that date, there were 403 active cards and cardholders (one card per person), 87
approvers, and 34 p-card liaisons.
On the transactional side, IT provided a list of all transactions for the first nine months of
FY21. From this population, IIAP focused on the second fiscal quarter, covering
transactions during October through December of 2021. This would ensure that all
statements and transactions should have been reviewed, approved, and reconciled
before the beginning of fieldwork. IIAP judgmentally selected a sample that cut across
all City departments and often included multiple cardholders from the same area.
Criteria
Per the Purchase Card Policy and Procedures Manual (PPPM) section B.4, there are
numerous supporting documentation requirements for p-card transactions. These
include receipts and other proofs of payment, business purpose explanation for meals,
how to account for lost or missing receipts, and various other stipulations depending on
the type of goods or services purchased. Section B.5 of the PPPM also outlines
procedures for each cardholder to load the supporting documentation into MUNIS and
ensure that correct account allocation coding is done.
5
Independent Internal Audit Program Purchase Card Audit
Cause
Many cardholders obtained their p-cards up to 15 years ago. As business processes
change and turnover of approvers and p-card liaisons occurs, inconsistency of p-card
transaction supporting documentation has grown. To compound the issue, there has
not been consistent refresher training for all parties, which will be addressed further in
Finding # 2.
Effect
Noncompliance with p-card policy cut across City departments, regardless of number of
transactions. Ultimately, there were many exceptions to policy (please see Appendix 2
that indicates the sample by department and Appendix 3 for a summarized breakdown
of exceptions).
While no fraudulent activity was found during testing, all reviews and approvals are done
post-transaction, and there are over 400 p-cards with potential errors and/or fraud every
month. Due to inconsistencies in documentation, along with the timeliness of reviews
and/or enforcement of policy, the risk of undetected inappropriate purchases is higher
with p-cards than the general procurement process.
Recommendation
With inconsistent documentation to support p-card transactions across the City, IIAP
recommends that department directors or their designees (supervisors/managers) review
the PPPM (last revised 6/15/2021) with all current cardholders, approvers, and liaisons
within the next 60 days. This will help address compliance until a new annual refresher
training is developed (please see recommendation for Finding # 2).
Management’s Response
The Budget and Finance Department will issue an instructional memo to all department
directors outlining the current procurement card policy based upon the last revised date
of June 15, 2021. This will include an emphasis upon the responsibilities of the individual
P-Card Holder, P-Card Approver, and P-Card Liaisons for timely review of all transactions
and the appropriate documentation required to support those transactions. This memo
will be issued within 60 days from the date of formal audit committee acceptance of the
p-card audit report.
2. Annual p-card training is not provided consistently, and there is insufficient
record of training offered and who attended. In addition, the annual review of
cardholder spend and limit analysis was not done in FY22.
6
Independent Internal Audit Program Purchase Card Audit
Condition
Per discussion with the Interim Budget & Finance (B&F) Director, only the Procurement
Administrator and the B&F Management Assistant have access to the p-card master file.
Upon hire and sufficient training, the new Purchase Card Administrator (PCA) will also
have access. (The former PCA no longer has access to the p-card master file.) One of
the duties for the new PCA is an annual cardholder limit review (section C.5 of the
Purchase Card Policy and Procedures Manual). The PCA is to run a spending report in
the JPMC system and distribute it to the p-card liaisons to review cardholder transaction
and monthly limits. If necessary, p-card liaisons will work with their department head and
complete the appropriate forms to modify limits as needed. Per the Interim B&F Director,
this was not done in FY22. The new PCA will be assigned this responsibility, with the aim
to perform it twice per year instead of just once. In addition, the new PCA will do an
analysis of the p-card master file to update/purge as necessary in alignment with
changing to JPMC's PaymentNet system and the switch from MasterCard to Visa.
Criteria
Per the Purchase Card Policy and Procedures Manual (PPPM) section B.13, annual
training is required for cardholders, approvers, and p-card liaisons. This training should
help all parties with the transaction documentation requirements noted in Finding # 1, as
well as the annual review of credit limits and spend per PPPM section C.5 noted in the
Condition paragraph directly above.
Cause
IIAP determined that there is very little record of p-card training available. It appears
the expectation is for cardholders, approvers, and liaisons to learn their responsibilities
and understand the policy upon issuance of the card and/or those duties. However,
policies, procedures, and documentation requirements may change over time. The staff
who perform these duties may also change departments within the City or turnover with
old and new personnel, leading to additional chances for inconsistent policy application.
Effect
Inconsistent training and documentation, coupled with turnover in p-card roles and with
the PCA, led to noncompliance with policy. Beyond noncompliance, there also was no
analysis of cardholder limits and usage, possibly resulting in exposure to unnecessary
credit risk/liability for the City. The lack of continuous training, along with inconsistent
review of spend and credit limit analysis, contributes to a higher risk environment.
Recommendation
In addition to analyzing cardholder spend and credit limits/usage, IIAP recommends that
another main duty of the new PCA should be development of an annual p-card training
course. This training should be in the City's new Learning Management System (LMS).
7
Independent Internal Audit Program Purchase Card Audit
By implementing an annual p-card refresher training in the new LMS, the PCA will be able
to track those who have successfully completed the course and notify those parties whose
training requirement is due. By doing so, the PCA will be able to revoke p-card privileges
and/or duties for those that don’t comply with the training requirement. IIAP recommends
that the initial completion by all parties for the annual training coincide with the change to
JPMC's PaymentNet system and the switch from MasterCard to Visa.
Management’s Response
The Budget and Finance Department is committed to supporting a robust P-Card program
that complies with applicable policies and procedures as adopted by the City. Therefore,
the P-Card Administrator under the direction of the Finance Director will develop and
implement a required annual training for all staff who have been issued a P-Card. This
training will be implemented and made available on demand through the City’s new
Learning Management System (LMS) and attendance will be tracked. Additionally, the
Budget and Finance Department will semi-annually review all cardholder spend/usage
and assigned credit limits to ensure that cardholders have appropriate credit limits. This
training will be developed and implemented by January 1, 2023, and require that all card
holders complete the training within 90 days.
F. Process Improvement Opportunities
To apply for a p-card, the cardholder must supply some confidential information so that
the issuing bank (JPMC) can comply with certain provisions of the Patriot Act. The
cardholder will need to provide their home address, last 4 digits of their social security
number, date of birth, and mother's maiden name. A P-Card Account Form will then be
submitted by the appropriate department liaison and must be signed by the cardholder,
the department head (or their designee), and the City's P-Card Administrator (PCA), who
will notify the cardholder when the card is ready to be picked up. The cardholder will then
sign the p-card receipt and gain physical possession of the card. The Cardholders'
Agreement included in the P-Card Account Form identifies the responsibilities held by the
cardholder and the commitment to understand and abide by all the rules and regulations
of the p-card program, along with possible actions taken for violating these provisions.
To activate the card, the cardholder will call the bank, verify their confidential information
requested with the original application, and create a PIN for activation.
IIAP staff obtained the P-Card Account Forms for a sample of 30 individual cardholders
included in the transaction sample testing. Of the 30 cardholders sampled, 13 (43%) had
the older version of the form on file, which required less approvals than current policy but
would still be considered compliant. Of the 30 sampled, only one (3%) did not have
evidence on file of signing for receipt of their card. When the City upgrades from the
current JPMC system to PaymentNet, and MasterCard is replaced by Visa, IIAP
recommends that all cardholders and applicable approvers sign the most current version
of the P-Card Account Form available at that time. Each cardholder should also sign the
8
Independent Internal Audit Program Purchase Card Audit
most current version of the receipt form once their new Visa card is picked up. Along with
the new annual training mentioned in Finding # 2, this will bring all parties into compliance
and allow for a clean starting point with the new JPMC contract.
Another recommended area for improvement is to streamline the PPPM. As processes
will likely change with the switch to Visa cards and PaymentNet, the opportunity exists to
make the PPPM less technical and more user friendly; some items are very detailed while
others are quite vague. For example, with respect to proof of payment, section B.4
(Required Supporting Documentation) begins with:
IIAP found it unusual that explanations of what was purchased and why only applied to
business meals and to instances of no itemized receipts. IIAP recommends that a brief
explanation of the purchase accompanies all transactions, not just business meals. In
order to provide clarity to reviewers/approvers, a short description of what was purchased
and why should be included in the NOTES section when uploading into MUNIS, or written
on the receipt prior to scan/upload. A simple purchase such as office supplies may need
no further explanation than that. But for a specialized equipment purchase, it might save
time and unnecessary correspondence to say something like, "item XYZ will be used to
analyze ABC samples as part of soil testing for planned excavations". As all p-card
purchases are outlays of public funds, this brief explanation may help expedite the
reconciliation/approval process and provide clarity for public records requests as well.
9
Independent Internal Audit Program Purchase Card Audit
G. Audit Scope and Methodology
Overall, there is very limited p-card data available from either MUNIS or the currently
utilized JPMC reporting system (Smartdata). Therefore, IIAP requested the assistance
of Procurement's Purchase Card Administrator (PCA) and the IT department for
downloads of cardholder data and transactions from both systems.
We conducted this compliance/performance audit in accordance with the Government
Accountability Office (GAO)'s generally accepted government auditing standards as well
as the Institute of Internal Auditors (IIA)'s international professional practices framework.
Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on the audit objective. The main
objective of this audit was to assess compliance with the Purchase Card Policy and
Procedures Manual (PPPM). In addition, IIAP looked at the overall strengths and
weaknesses of the program and sought possible areas for improvement.
IIAP determined internal controls over the following areas were relevant to our objectives:
• Determining an accurate population of cards outstanding, cardholders, approvers,
and p-card liaisons; and,
• Compliance with the documentation, analysis, and training provisions within the
PPPM.
To accomplish our objective, IIAP performed the following activities:
• Requested the PCA to provide a list of current p-cards and cardholders, approvers,
and p-card liaisons;
• Requested of IT a download from MUNIS of all p-card transactions for the first nine
months of FY22;
• Judgmentally selected a sample of p-card transactions occurring between October
– December of 2021 that cut across all City departments;
• Reviewed each transaction’s supporting documentation on an individual basis
within MUNIS;
• Requested explanations from departments for all individual transactions where
additional information was needed to validate the purchase;
• Judgmentally selected a sample of 30 cardholders from the transaction testing that
cut across all City departments to verify card issuance documentation; and,
• Obtained information from HR on the expected capabilities of the new LMS.
10
Independent Internal Audit Program Purchase Card Audit
H. Data Reliability
The primary data utilized for the work performed in this audit was obtained directly from
MUNIS via download and export from the IT department, and various reports from
JPMC’s SmartData system pulled by the prior PCA. MUNIS data reliability is reviewed
annually during the audit of the City’s financial reports and the Comprehensive Annual
Financial Report (CAFR) performed by the City’s external auditor. IIAP also reviewed the
individual p-card files for a sample of 30 cardholders to verify card issuance
documentation required by the PPPM.
11
Independent Internal Audit Program Purchase Card Audit
Appendices
Appendix 1
Definitions of Audit Findings Rankings
We assigned the risk rankings based on our professional judgment. A qualitative
assessment of high, medium or low helps to prioritize implementation of corrective action
as shown in the table below.
High
Critical control weaknesses that expose the City to a high degree of
combined risks. Recommendations from high-risk findings should be
implemented immediately (preferably within 3 months), to address areas
with most significant impact or highest likelihood of loss, misappropriation
or damage related to the City assets.
Medium
Represents less than critical weaknesses that expose the City to a moderate
degree of combined risks. Recommendations arising from medium-risk
findings should be implemented in a timely manner (preferably within 6
months), to address these risks and strengthen or enhance efficiency in
internal controls on areas with moderate impact and likelihood of exposure.
Low
Represents a low level of risk or control weaknesses and the exposure is
not likely to expose the City and its assets to significant losses. However,
they should be addressed in order to improve efficiency and effectiveness
of operations. Recommendations arising from low-risk findings should be
implemented within 12 months.