State Corporate Purchasing Card Program

(1)

Performance Audit Report

State Corporate Purchasing Card Program

Oversight Responsibilities Were Not Formally Established User Agencies Were Not Closely Monitoring Card Purchases

(2)

• This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested by contacting the Office of Legislative Audits as indicated at the bottom of the next page or through the Maryland Relay Service at 1-800-735-2258.

• Please address specific inquiries regarding this report to the Audit Manager listed on the inside back cover by telephone at (410) 946-5900.

• Electronic copies of our audit reports can be viewed or downloaded from the Internet via http://www.ola.state.md.us.

• The Department of Legislative Services – Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at (410) 946-5400 or (301) 970-5400.

(3)

September 25, 2003

Delegate Van T. Mitchell, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee

Annapolis, Maryland Ladies and Gentlemen:

We conducted a performance audit of the State’s Corporate Purchasing Card Program (CPCP) primarily to assess the effectiveness of centralized oversight and internal controls, and to identify opportunities to enhance procurement

effectiveness and efficiency. Our audit included the oversight provided by the Comptroller of the Treasury’s General Accounting Division (GAD), as well as selected testing of agencies’ CPCP transactions.

Our audit results disclosed that the CPCP needs stronger oversight primarily because agencies were not diligent in monitoring purchasing card activity. Such activity is now approximately $200 million annually. Our random sample of purchases disclosed that card users often were not properly documenting their purchases (for example, itemized invoices were missing) nor were supervisors performing timely reviews (if at all) of purchases for propriety. Furthermore, our tests of 207 other purchases (that were selected based on certain characteristics) identified 64 transactions which, based on information provided at the time of our inquiries, either appeared questionable due to incomplete documentation or

represented split purchases to bypass card dollar limits. These transactions, many of which may ultimately be determined to be legitimate purchases, were provided to GAD for follow-up. Although certain control mechanisms have been

established to reduce the likelihood of card misuse, we found that internal controls could be improved. For example, COT centrally paid the monthly statewide purchasing card bill without obtaining assurance from State agencies that billed costs were valid.

We also identified opportunities for potential program expansion that could be pursued. Expansion should increase the rebate paid by the card vendor which is based on purchasing volume and totaled $1.6 million for the most recent contract year. For example, the purchasing card was only used for one-half of the 1.4 million annual transactions meeting the CPCP threshold. Finally, CPCP purchases were not always made in the most economical and efficient manner.

(4)

We noted that purchasing card information was not made available to central procurement oversight agencies for analysis to determine whether statewide contracts should be executed for commonly purchased good and services. Establishing formal responsibilities for CPCP oversight should help improve user agency compliance with existing CPCP guidance as well as result in more cost effective purchases.

An executive summary can be found on page 5 of the report. Our scope, objectives, and methodology of the audit are explained on page 13.

We wish to acknowledge the cooperation extended to us during our audit by GAD and the agencies with purchases we selected for testing.

Respectfully submitted,

Bruce A. Myers, CPA Legislative Auditor

(5)

Executive Summary

Objectives

We had three specific audit objectives:

1. To determine if adequate centralized oversight and internal controls existed over the Corporate Purchasing Card Program (CPCP), including the identification of fraud, waste and abuse.

2. To determine if the CPCP accomplished intended financial and service performance goals and opportunities for increased program usage were identified.

3. To assess the adequacy of the Comptroller of the Treasury’s (COT) procurement of the CPCP contract.

Background

The State introduced the CPCP in order to streamline procurement and accounts payable functions by eliminating required paperwork (such as requisitions and small dollar invoice processing and payment). In addition, CPCP provides the added benefit of increasing revenues to the State due to a rebate paid by the card vendor based on annual purchasing card usage volume.

The COT’s General Accounting Division (GAD) administers the CPCP. In this capacity, GAD has established certain program parameters and guidelines to reduce the potential for fraud, waste and abuse, such as individual and monthly transaction limits and blocking purchases from certain types of merchants. GAD also performs a monthly questionable transaction review. These actions have been taken to reduce the likelihood of wide-scale fraud and abuses, which have been noted in a number of public audit reports of Federal government purchasing card programs.

Conclusions

Our audit results indicate that there are opportunities to improve the effectiveness of CPCP oversight and the efficiency of the CPCP, which accounts for almost $200 million in annual procurements. The decentralized nature of the program, whereby significant responsibilities are delegated to the user agencies, combined with the lack of formal oversight responsibilities, have resulted in a lax control environment, whereby cardholders in many agencies frequently have not properly documented purchases, supervisors have not reviewed purchases or have not done so on a timely basis, and GAD has not obtained any assurance from agencies

(8)

before payment that card bills were proper. Also, the lack of formally established oversight responsibilities over the procurement aspects of CPCP has meant that opportunities for CPCP enhancements were not always identified or pursued. GAD advised us that due to the nature (that is, small procurements) and relative insignificance of the CPCP ($200 million in annual expenditures) to total State expenditures, the State’s financial exposure is limited and this was one of the reasons that the controls were decentralized. Nevertheless, the lack of centralized authority to exercise broad control over the CPCP increases the potential for misuse.

Objective 1 – CPCP Oversight and Internal Controls

Our audit disclosed that oversight and controls over the CPCP could be improved.

Overview of Major Findings – Objective 1

Problem Area Comments / Examples

Formal Responsibility

Not Established

Formal responsibility for the oversight of the CPCP had not been established. Although GAD administered the CPCP, no formal responsibility has been established to oversee the procurement aspects of the CPCP. Also, the degree of authority GAD was willing to exercise was not clear. (Finding 1)

Agencies were not required to provide GAD with assurance regarding the validity of monthly CPCP charges and as a result there was a lack of assurance that monthly charges were proper. (Finding 2)

Insufficient Internal Controls

GAD’s review of participating agency CPCP activities was not sufficiently comprehensive since it did not include an enforcement process for

noncompliant agencies or ensure that agencies with material card usage were reviewed. (Finding 4)

Our random statistical sample of 97 transactions disclosed that at least 77% of all CPCP transactions lacked certain critical documentation such as an itemized invoice supporting the transaction. Based on this test, we identified 12 transactions that were not documented, or appeared questionable. (Finding 3) Transaction Testing Disclosed Supporting Documentation Often Missing and Apparent Questionable or Inappropriate Purchases

Based on our selection of 207 other transactions, we identified 64 transactions that were not sufficiently documented and appeared to be questionable or were inappropriate based on information provided at the time of our inquiries. For example, we noted hotel charges for which the agency could not provide any documentation that the service was received. We also noted a number of inappropriate purchases where the cardholder split the purchases to

circumvent both individual card transaction limits and State Procurement Regulations regarding small purchases. (Finding 3)

(9)

Objective 2 – Evaluating CPCP Performance and Identifying Opportunities Our audit disclosed that statewide CPCP transaction information was not used to help ensure that CPCP purchases were made in the most economical and efficient manner. In addition, GAD could improve the measurement indicators of the success of the CPCP. Finally, the audit disclosed that the potential exists to

expand CPCP usage and increase the related rebate paid to the State. Decisions to expand card use should consider the related risks (such as the effectiveness of internal controls). For example, we noted the following conditions:

! Statewide CPCP information was not available to centralized procurement agencies. As a result, the State lacked assurance that CPCP purchases were made in the most economical manner. For example, we noted that some State agencies paid a significantly higher rate to one merchant for a service than another State agency for the same service. This was due to the lack of a statewide contract that could have provided lower negotiated rates to various State agencies. (Finding 7)

! CPCP results were not effectively measured or used to determine the success of the CPCP. (Finding 8)

! Over 700,000 annual transactions under $2,500 paid by transmittal had not been analyzed to determine the extent to which these transactions may be eligible for card use. (Finding 9)

! Other areas for potential program expansion had not been formally analyzed. We noted certain vendors with recurring high-dollar value transactions where GAD had not determined the feasibility of increasing the card limits for payment convenience purposes. (Finding 9)

Objective 3 – Contract Procurement

The audit disclosed that the COT procured the contract in accordance with existing laws and regulations governing the procurements of service related contracts.

Recommendations

We recommend that GAD, in conjunction with other appropriate state agencies with procurement oversight responsibilities, execute a memorandum of

understanding that establishes the responsibility and authority of each party with respect to CPCP. We also recommend that GAD ensure that effective controls, enforcement processes, and guidance have been established for CPCP activities.

(10)

In addition, we recommend that the transactions we identified as not properly documented, as well as those that appeared questionable or inappropriate, be investigated and resolved. Finally, we recommend that purchasing information be provided to procurement oversight agencies and that the feasibility of expanding CPCP use be assessed.

(11)

Background Information

Program History and Description

In fiscal year 1997, the State implemented its Corporate Purchasing Card Program (CPCP). The CPCP was intended to streamline procurement and accounts payable functions by eliminating paperwork (requisitions, purchase orders and the

associated invoice processing) for small purchases (such as category I – small procurements). State Procurement Regulations define category I – small procurements as procurements under $2,500 which require less stringent documentation (such as no formal bids).

Since CPCP inception there have been two different card vendors under contract to provide the required credit cards. The procurement of the original card vendor contract was conducted by the Department of General Services (DGS), although the Comptroller of the Treasury (COT) was responsible for contract

administration. Upon expiration of the first contract, COT assumed operational control of the CPCP contract and a competitive procurement was conducted by COT, with the result that on December 11, 2000, COT entered into a two-year contract with a new card vendor to provide corporate purchasing card services effective April 26, 2001. On March 19, 2003, the Board of Public Works approved a two-year extension of this contract under the same terms and conditions as the original contract. The COT’s General Accounting Division (GAD) functions as the CPCP administrator. Under the terms of the current agreement, the vendor provides the following services:

! purchasing card services accepted by over 18 million worldwide merchants ! a dedicated account manager

! web-based reporting and program management services ! training for all participating agencies

! various automated controls over program abuse (such as dollar transaction limits)

! liability protection of up to $15,000 per employee for lost/stolen cards Although GAD administers the CPCP and related contract, participating state agencies have much of the responsibility for the day-to-day operation and oversight of their purchasing activities. For example, the card vendor issues purchasing cards directly to user agencies. Designated individuals issue new cards

(12)

within each agency based on requests by personnel that must be approved by the employee’s supervisor and an agency fiscal officer. The agency sets individual card transaction limits as well as the number of purchases allowed per day and monthly cycle limits (both spending and number of transactions).

The following chart shows how the purchasing and payment process has been set up.

Purchasing Card Process

Purchasing cardholders in agencies order/charge goods and services within daily/monthly dollar limits

on card.

Cardholders are to record purchase transaction details on Activity Logs (e.g., vendor, date, dollar amount,

description).

Cardholders are to reconcile monthly purchasing card statements received from the card

vendor to the Activity Logs.

Card Vendor (Purchasing Card Issuer)

Approving agency officials are to review Activity Logs, card

statements and supporting documentation (e.g., vendor invoices) to ensure that purchases

are reasonable and necessary.

Approving agency officials are to sign and date Activity Logs for

completeness and accuracy.

All documentation is to be submitted to Agency Fiscal Officers, who are to reconcile agency purchasing card activity to

State accounting records.

Detail of Statewide activity submitted to

GAD.

GAD pays card vendor (within 25 days of the end

of the billing cycle) and posts activity to State

accounting records.

State Accounting Records Merchants submit

State purchasing card information

(13)

Rebate

The card vendor pays the State an annual rebate based on the State’s total purchase volume for each month period covered by the contract. For the 12-month periods ended April 2002 and 2003, the card vendor paid the State $1.4 million based on $174 million in purchase volume and $1.6 million based on $193 million in purchase volume, respectively. Vendor rebates have become

increasingly common in state purchasing card programs in recent years. The card vendor earns a percentage of the transaction amount paid by the merchants, but receives no payments from the State for providing purchasing card services. Program Activity and Growth

Based on information provided by GAD, the State’s use of the purchasing card has increased since its inception as shown in Table 1 below:

Table 1

Schedule of Corporate Purchasing Card Usage

Year1 Number of Transactions

Dollar Value of Transactions

(millions) Rebate Received

1997-1998 2,650 $ 2.2 $ 3,990 1998-1999 158,939 41.1 123,387 1999-2000 409,399 118.3 354,762 2000-2001 470,222 161.7 485,182

2001-2002 759,055 215.6 1,576,570 2002-2003 695,659 192.6 1,589,402

1 Year corresponds to the contract year for rebate calculation purposes. GAD awarded a new contract effective April, 26, 2001. The 2001 – 2002 contract year reflects activity (including rebate) from both card vendors for a 14-month period due to a change in the contract period.

See Exhibit 1 for a detail listing of card usage by individual State agency. Program Controls

GAD has established and maintains the CPCP Policies and Procedures Manual. This Manual was issued in April 2001 and revised in July 2002. The Manual provides user agencies with information and guidance regarding card issuance, card security, appropriate card use and documentation. In addition, GAD has taken certain centralized actions to help ensure the propriety of transactions processed under the CPCP. Specifically, GAD and the card vendor instituted certain control mechanisms, including the following procedures:

! Establishing single transaction dollar limits as follows: State agencies (except for University System of Maryland) - $2,500; University System of Maryland - $5,000; transactions through eMaryland Marketplace (an on-line procurement process) - $10,000.

(14)

! Blocking certain merchant category codes so that the system will not approve transactions attempted with merchants in these categories.

Blocked codes include merchants coded as personal service providers (such as beauty shops), restaurants, movie theaters, liquor stores, gambling establishments and automated teller machines. The credit card company assigns merchant codes and GAD makes the determination of which ones to block.

! Limiting the State’s liability for lost and stolen cards. The card vendor provides protection from liability for up to $15,000 per card.

! A monthly review of questionable purchases. GAD uses web-based data provided by the card vendor to attempt to identify questionable purchases. GAD requires user agencies to investigate such purchases and provide assurance that these purchases were proper.

In addition, various controls are available to the individual State agencies to further control card use and limit potential exposure to inappropriate transactions. For example, daily and monthly dollar limits may be set for individual cards. These controls have been designed to reduce the likelihood of flagrant types of abuse such as those noted in recent United States General Accounting Office (GAO) audit reports on Federal government purchasing card programs. For example, the GAO has noted the use of cards to make inappropriate purchases such as electronics for home use and cash advances. Nevertheless, we have commented in certain fiscal/compliance audit reports on alleged purchasing card frauds caused by breakdowns in State agencies’ internal controls, as well as failures to comply with CPCP guidelines1.

1

Refer to the University System of Maryland – University of Maryland, College Park audit report issued February 14, 2003 and the State Highway Administration audit report issued June 23, 2003.

(15)

Audit Scope, Objectives, and Methodology

Scope

We conducted a performance audit of the Comptroller of the Treasury’s (COT) administration of the Corporate Purchasing Card Program (CPCP). We conducted the audit under the authority of the State Government Article, Section 2-1221 of the Annotated Code of Maryland and performed it in accordance with generally accepted government auditing standards.

Objectives

We had three specific audit objectives:

(1) To determine if adequate centralized oversight and internal controls existed over the CPCP, including the identification of fraud, waste and abuse.

(2) To determine if the CPCP accomplished intended financial and service performance goals and opportunities for increased program usage were identified.

(3) To assess the adequacy of the COT’s procurement of the CPCP contract. Our audit objectives did not include a review or evaluation of the CPCP vendor’s information system. In addition, we did not review agency processes for issuing purchasing cards or assigning individual card credit limits nor did we evaluate the internal controls of all agencies whose transactions were selected for testing.

Methodology

To accomplish our objectives, we reviewed applicable State laws and regulations, as well as policies and procedures established by COT’s General Accounting Division (GAD) and selected State agencies. We also interviewed personnel at GAD and those agencies that processed transactions tested during the audit. We obtained information from representatives of other government purchasing card programs and reviewed relevant reports published by the United States General Accounting Office. We obtained electronic files detailing transactions processed by the State’s purchasing card vendor and performed automated analyses of the data. We reviewed this data and found it to be reliable for our audit purposes. Based on that data, we performed data mining. Data mining is the act of searching or “mining” data to identify transactions or patterns of activity exhibiting

(16)

anomalies between different pieces of information. This was done to help identify instances of potentially improper purchases. For transactions identified by this process, we reviewed the related records maintained by GAD and the selected State agencies.

We also conducted a statistical sample of transactions processed during the audit period to determine the existence of certain specific documentation and control attributes. We projected the results of this test on a statewide basis. Since our results for other testing conducted during this audit (“data mining”) were based on non-statistical tests, we did not project our results of those tests on a statewide basis. We discussed the results of our audit with the responsible agency officials. Fieldwork and Agency Response

We conducted our fieldwork from June 2002 to May 2003. The COT’s response to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise the COT regarding the results of our review of its response.

(17)

Findings and Recommendations

CPCP Oversight and Internal Controls

Conclusion

Our findings disclosed that responsibilities for overseeing the Corporate Purchasing Card Program (CPCP) have not been formally established. The General Accounting Division (GAD) administers the contract with the CPCP vendor, pays the consolidated monthly corporate purchasing card bill on behalf of all state agencies, and performs some monitoring of activity. However, no State agency has the responsibility for oversight of the procurement issues associated with the purchasing card. Furthermore, CPCP operates in a decentralized environment with much of the operational responsibilities delegated to the participating agencies.

Centralized oversight needs to improve because agencies frequently did not ensure that card purchases were properly documented and reviewed by supervisory personnel. Our tests of 97 transactions selected on a random statistical basis as well as 207 other transactions disclosed significant failures to comply with CPCP Manual requirements and 76 undocumented or potentially questionable or

inappropriate purchases based on information provided at the time of our inquiries. Finally, internal controls over the program, including GAD’s need to assure the validity of the monthly bill, and the instructions provided to participating agencies should be enhanced.

Finding 1

Formal responsibility for oversight of the CPCP has not been established. Analysis

Although the CPCP functions as both an invoice payment mechanism and as a method of procurement, centralized oversight responsibilities for these two primary aspects of the CPCP have not been formally established. As a result, internal controls could be strengthened and greater procurement efficiencies could be realized through improved coordination of State agencies’ efforts.

The degree of authority and responsibility GAD is taking has not been formally established. For example, GAD has issued a manual that 1) describes the GAD’s role as administrator of the CPCP contract with the card vendor issuing the corporate purchasing cards and, 2) offers CPCP guidelines (which include control and accountability issues) for State agencies to follow when using the cards.

(18)

However, GAD views the manual as guidance as opposed to a requirement. Consequently, State agencies are permitted significant latitude in implementing and operating the CPCP. As noted elsewhere in this report, our testing of individual card transactions indicates that agencies frequently do not adhere to CPCP guidelines or ensure that adequate or appropriate controls are in place.

Furthermore, as noted in another finding, GAD has not taken enforcement actions when it identified a noncompliant agency. GAD officials advised us that it does not function, and does not see its role, as a control agency. Consequently, the degree of authority GAD was willing to exercise was not clear.

The CPCP also functions as a procurement tool. However, since GAD does not have legal authority to function as a procurement control agency, there is a lack of effective oversight to ensure the appropriate and efficient use of the card for procurement. Other items in this report identify opportunities for expanding the CPCP and increasing procurement efficiencies (such as entering into statewide contracts based on CPCP use of all agencies with individual merchants, resulting in real-dollar savings) that only become apparent after an analysis of CPCP

transactions from a procurement perspective. As of the date of our audit, procurement oversight agencies had not actively participated in reviewing statewide CPCP activity.

We believe that due to the dual purpose of the CPCP (procurement and bill payment process), as well as the decentralized nature of the CPCP operation, a formal oversight structure which includes GAD as well as other State entities is necessary. Specifically, several State control agencies could share oversight of the CPCP each with its own area of responsibility. GAD could exercise control over the invoice processing and payment function and the Department of General Services, the Department of Budget and Management as well as the University System of Maryland could be responsible for the respective procurement issues associated with the CPCP. Such an arrangement, which among other issues could delineate the span of authority of each party, could be accomplished via a formal memorandum of understanding, which is a method of establishing responsibilities when a program or process affects several departments or agencies.

Recommendation 1

We recommend that responsibility for oversight of the CPCP be formally established. Specifically, we recommend that GAD and other appropriate

(19)

Finding 2

Agencies are not required to provide any assurance to GAD regarding the validity of monthly CPCP charges.

Analysis

GAD paid the card vendor’s monthly bill without receiving assurance from user agencies that the monthly card statements on which the bill was based contained only valid charges. GAD makes a single payment to the card vendor each month based on transaction data received from the card vendor. For fiscal year 2002, GAD’s average monthly payment to the vendor totaled $15.4 million. Although according to the CPCP Manual each agency is to verify the validity of its monthly charges, the agencies were not required to provide GAD with any

assurance/certification as to successful completion of the verification process. Our testing disclosed that this agency-based process was often not performed (see Finding 5). Providing certification to GAD would help demonstrate that user agencies are accountable for the related expenditures as well as performing control and verification procedures.

While State law provides GAD with substantial latitude for handling State funds and paying State bills, the CPCP bill payment process differs from the process used to pay non-CPCP purchases. Specifically, for non-CPCP purchases, GAD requires that the agency submit a transmittal signed by an authorized employee along with original invoices and/or supporting documentation in sufficient detail to describe the goods and service rendered. GAD further requires that each invoice included in a transmittal, regardless of the amount, be approved by an authorized

representative indicating that the invoice is mathematically accurate and that the goods have been received, the services rendered and the payment has not been made previously. Furthermore, prior to processing the transmittal for payment, GAD audits the transmittal and related documentation for propriety. All of this is intended to help ensure that the invoices submitted for payment represent valid charges to the State.

Similar assurances are lacking for CPCP purchases. The chart below illustrates the current CPCP process and the missing agency certification, which is evident in non-CPCP purchase payment processing.

(20)

Simplified Monthly Billing Verification Process

Although most governmental entities we contacted used a different card vendor payment process, the two that had a centralized payment process similar to Maryland required certain evidence from users regarding the validity of charges before making payment.

Cardholder charges goods and services, and records on monthly Activity Log. Transaction recorded by card processor (separate from the card vendor) and reported to GAD monthly.

Card processor sends monthly billing statement to each cardholder.

Cardholder reconciles monthly activity log to the statement (see flowchart on page 10).

Card processor reports all transactions daily to card vendor.

Card vendor sends GAD monthly billing

statement.

GAD agrees card processor totals to card vendor billing statement.

GAD pays card vendor for charges incurred for the month.

At no time is the cardholder activity reported to the agency agreed to the card

vendor billing statement submitted to GAD.

(21)

We recommend that GAD require agencies to provide written assurance as to the validity of their monthly CPCP charges.

Finding 3

Agencies’ purchasing card transactions were often not properly documented and certain transactions appeared to be inappropriate or questionable in nature.

Analysis

Our testing of purchasing card transactions disclosed that agencies frequently did not properly document the procurements as prescribed by CPCP guidelines. Some transactions appeared to be either inappropriate or questionable in nature.

Inappropriate transactions include those transactions where purchases were made in apparent violation of State Procurement Regulations or the CPCP Manual. Questionable transactions include those transactions where adequate

documentation was not provided to us at the time of our tests by the agency official responsible for ensuring that transactions were reasonable and necessary. We conducted a statistical sample of 97 randomly selected transactions for

compliance with certain critical documentation components of the Manual. In addition, we tested 207 other transactions that were selected based on certain characteristics (such as card use on a weekend or out-of-state), which we believe indicated unusual or potentially questionable use.

(22)

Statistical Sample

Our statistical sample of 97 purchasing card transactions disclosed that 82 different transactions were missing one or more critical attributes contained in the CPCP Manual to ensure the propriety of card purchases. For the attributes tested and related documentation errors, see Table 2 below.

Table 2

Schedule of Statistical Sample Test Result

Attribute Tested

OLA Test Results (Number of Transactions

Missing Required Attribute)2 Minimum Estimated Population Occurrence Rate for Documentation Errors3 Minimum Projected Population Occurrence for Documentation Errors3 Activity Log: 1

Order/Transaction Date 7 2.1% 14,501

Supplier/Contact 5 .8% 5,294

Total Transaction Amount 5 .8% 5,294

Cardholder Signature 11 5.0% 35,285

Supervisor Review

Signature/Date 34 25.6% 179,259

Fiscal Officer Signature 61 53.3% 373,662

Reconciled to Credit Card

Statement 31 22.7% 159,075

Itemized Invoice 26 18.0% 126,183

Credit Card Statement 6 1.4% 9,764

1

Bold items indicate specific documents required to be on file to support all transactions. If we could not locate an Activity Log, we noted each attribute under that heading as missing. 2

Our test results exceed 82 as certain test transactions had more than one missing attribute. 3

Minimum estimated occurrence rate and population occurrence based on a one-sided projection of the test results to the population of 701,406 transactions, with a confidence of 95%.

Projection of Results

Our test population consisted of 701,406 purchasing card transactions made by State employees between April 26, 2001 and June 25, 2002, from which we randomly sampled 97 transactions totaling $32,700. Based on the test results of 82 transactions with missing attributes, we are 95% confident that at least 77.3% of the transactions in the population tested contained one or more of the described documentation errors (or at least 542,477 transactions). For example, we are 95% confident based on our test results that:

(23)

of the transactions processed. The date of the review is important to ensure that it was conducted within the 60 day timeframe for disputing a transaction with the card vendor.

! at least 18% (or at least 126,000) of all transactions were not properly supported by an itemized invoice. An itemized invoice is a critical

document that helps supervisors reviewing the transaction determine what was actually purchased and its appropriateness.

From these 97 randomly selected transactions we identified 4 transactions that were not documented (that is, the agency could not provide any documentation to support the selected transaction) and 8 transactions we considered questionable because of incomplete documentation. These 12 transactions ranged in cost from $16 to $3,071.

Other Tests of Transactions

We tested 207 transactions totaling $241,000 from the period April 26, 2001 through June 25, 2002 that were selected on a non-statistical basis. Our tests disclosed 64 transactions totaling $101,000 from a number of agencies, which based on the information available at the time of our audit, we considered to be questionable, based on insufficient documentation, or represented inappropriate use of the corporate purchase card.

! We found 37 questionable transactions where we were uncertain, because of incomplete documentation, whether the purchases were received and used for legitimate State purposes. This includes one transaction, for example, where a charge for hotel costs was only supported by a reservation form and not documentation that the service was actually received (that is, the person stayed at the hotel for official State business). In another case, we noted a charge of $2,100 for electronic equipment (personal digital assistants) where the agency was unable to document who received the equipment and could not locate some of the purchased items. ! We also identified 27 inappropriate transactions where purchases were

made in apparent violation of State Procurement Regulations or the CPCP Manual. These transactions represented the splitting of purchases to avoid purchasing limits on specific procurement cards. For example, we noted one instance where an employee procured printing services valued at $12,700 on six different invoices to avoid the purchasing card’s preset per transaction spending limit.

(24)

We believe that some of the problems found during our testing were due to modifications made to the Activity Log by the user agencies. Specifically, our review of Activity Logs used by 21 agencies disclosed that 19 had modified the Log from the format prescribed in the CPCP Manual. Although some agency modifications were minor in nature, other agencies eliminated critical components of the Log, such as fiscal officer review and the date of supervisory review and approval. The CPCP Manual specifically states that agencies should not modify the Log.

At the conclusion of our fieldwork, we provided GAD with the 76 transactions (the 64 noted above and the 12 from the statistical sample) commented upon in this item for follow-up purposes. Subsequent investigations of these 76

transactions disclosed that some were determined to be for legitimate purposes (for example, based on documentation agencies obtained from vendors after our inquiries). Likewise, other purchases may ultimately prove to be for legitimate purposes after further investigation. However, this does not lessen the need for stringent oversight of a program that by its very nature (a large number of cards given to employees not previously routinely associated with the procurement process, in conjunction with ease of use and decentralized nature of the oversight) has an obvious inherent potential for abuse or misuse. At the time of our inquiries, the responsible agency personnel were not able to provide conclusive evidence substantiating the propriety of the transactions. This points to a failure in the control process whereby purchases can be made without subsequent approval or be approved without adequate description or documentation.

We recommend that GAD, in conjunction with the applicable agencies, ensure that the aforementioned transactions are properly resolved, including obtaining reimbursement from employees if appropriate. In addition, we recommend that GAD reiterate to all participating agencies the need to comply with all CPCP Manual documentation guidance, including retaining all components of the Activity Log and complying with procurement

(25)

Finding 4

GAD’s oversight of CPCP use was not sufficiently comprehensive to ensure guidelines are followed by user agencies.

Analysis

Although GAD had a process in place to periodically conduct field reviews of agencies’ purchasing card activities, it did not include a formal process to hold agencies accountable for failures to comply with significant CPCP guidelines. Furthermore, GAD’s process for selecting agencies for review was not sufficiently comprehensive. Due to limited assigned staff, GAD only conducted reviews of five of the 78 user agencies during the period April 2001 to July 2002. In a decentralized environment, such reviews are a critical component in determining that user agencies had adequate CPCP controls in place.

There was no formal CPCP enforcement process, including sanctions, to help ensure that deficiencies found during the review process were corrected or prevented in the future. For example, while GAD’s policy stated that serious deficiencies discovered in its review of an agency’s purchasing card program may be subject to follow up by GAD, sanctions such as prohibiting individual

cardholders or agency participation in the program had not been established. We believe this enforcement process is necessary to safeguard State assets. Although one of the five user agency reviews performed by GAD revealed serious problems and a GAD follow-up review indicated that they had not been corrected, the agency was allowed to continue in the CPCP. Our more recent testing of

transactions at this agency disclosed similar deficiencies, including a complete lack of documentation for numerous purchases. Our review of audits performed of Federal purchasing card programs by the United States General Accounting Office noted that the ultimate sanction for noncompliance was termination of program participation.

We also noted that GAD did not formally analyze relative risk when identifying agencies for review. There was no evidence that GAD considered such factors as the relative value of transactions processed or the agency’s transaction amount authority. For example, these five agencies represented only seven percent of the State’s total dollar transaction activity processed for the period from April 2001 to June 2002. See Exhibit 1 for a listing of all participating agencies including those reviewed by GAD.

(26)

Furthermore, although the review process did include certain internal control components, other critical components were not addressed. Specifically, the review did not include the adequacy of the agency’s internally developed policies and procedures, the agency’s overall reconciliation process (that is, whether processes were established to determine the validity of all charges and agreement with the credit card statement) or the adequacy of the Activity Log used to record and reconcile all individual transactions.

We recommend that GAD establish a formal enforcement process to help ensure significant deficiencies are corrected. This process should include sanctions, such as possible termination of CPCP participation. We also recommend that GAD implement an agency review schedule based on a documented risk analysis and consider expanding the number of reviews performed. Finally, we recommend that GAD modify the existing CPCP review procedures to include all critical internal control components.

Finding 5

Guidance contained in the CPCP Manual was often not comprehensive. Analysis

The CPCP Manual did not always provide user agencies with comprehensive guidance. Specifically, our review of the user agencies’ application of the Manual’s guidelines, their internal CPCP procedures and tests of individual purchasing card transactions highlighted a number of areas where we believe improvements could be made in the CPCP Manual to provide the participating agencies with additional or more specific guidance to properly implement prudent controls and safeguards. These conditions contributed to the deficiencies noted in our testing of individual purchasing card transactions commented on in Finding 3. For example, we noted the following conditions:

! Although the CPCP Manual requires the agencies to reconcile the monthly detail in the State’s accounting records (which represents card vendor data), it does not provide any instructions on how to accomplish this to ensure the propriety of the data. Three of four agencies we reviewed, who collectively accounted for approximately 30% of the State’s total

(27)

to the State’s accounting records did not receive the approved individual cardholder Activity Logs nor verify that the Logs had been reconciled to the monthly billing statement by appropriate supervisory employees. ! The Manual did not contain specific guidance for procuring and accounting

for equipment purchases made with the purchasing card. Since such purchases are usually made outside of an agency’s standard procurement process (that is, the establishment of a purchase order), it is likely that the agency personnel responsible for maintaining equipment records and establishing initial accountability over agency assets will not be aware of the purchase unless the agency provides separate procedures for

notification of purchasing card equipment transactions. Our test of 20 equipment purchases (generally computers and related items) made via the purchasing cards totaling $41,000 disclosed frequent accountability

problems. For example, items from 12 of the 20 purchases were not recorded in the property records.

We recommend that GAD modify the CPCP Manual, with input from other agencies (such as the Department of General Services), to provide

participating agencies with specific guidance on all critical facets of the CPCP. For example, the Manual should include guidance on how agencies should reconcile card vendor data and account for equipment purchases.

Finding 6

GAD did not ensure the propriety of the annual rebate paid under the current contract.

Analysis

GAD did not ensure the propriety of the rebate paid by the card vendor. Specifically, GAD did not begin a formal process to ensure the propriety of the annual rebate, which in the first year of the current contract totaled $1.4 million, until we inquired as to the accuracy of the amount. When we brought these issues to GAD’s attention, GAD recalculated the rebate and found that it was reasonable.

(28)

We recommend that GAD establish procedures to ensure the annual rebate payment made by the card vendor is accurate in accordance with the terms of the contract.

Evaluating CPCP Performance and Identifying Opportunities

Conclusion

Certain State purchases were not made in the most economical and efficient manner, since purchasing card information was not made available to statewide procurement agencies. By having this information, the procurement agencies could determine whether they should enter into statewide contracts to obtain better prices for commonly procured goods and services. Furthermore, CPCP

performance was not adequately measured because Managing for Results data was not comprehensive. Finally, we identified several opportunities to increase

purchasing card use by State agencies. Decisions to expand CPCP use should consider related risks (such as the effectiveness of internal controls).

Finding 7

Statewide CPCP information was not available to procurement agencies to achieve more cost efficient purchases.

Analysis

Comprehensive statewide CPCP use and procurement information was not made available to agencies that had centralized procurement authority to assist them in reducing costs for commonly procured goods and services. Specifically, the Department of General Services (DGS), the Department of Budget and Management (DBM) and the University System of Maryland – College Park negotiate contracts on either a statewide or system-wide basis, but they could not access comprehensive statewide information on purchasing card activity.

Therefore, they were unable to determine the extent and nature of transactions placed with certain merchants to ensure that goods and services were procured in the most economical manner.

(29)

opportunities for the State to ensure that purchases are made in the most efficient and economical manner. For example, the card vendor’s records indicated that State agencies spent $1.8 million on “quick copy reproduction services”. This amount included over $600,000 paid to one national chain of copy centers, which did not have a statewide contract (and, as a result, formal discounts were not obtained). In addition, one State print shop advised us that its printing charges are generally significantly less than the retail prices charged by outside vendors

(including the aforementioned national chain).

Of the 200 merchants, for which total payments were $68.2 million, we identified 61 that had a contract with at least one of the three agencies with centralized procurement authority. While we were not able to readily determine if all the individual transactions with the 61 merchants were made in accordance with any existing contracts (that is, goods/services at a price from a previously negotiated contract), some of the purchases were made without regard to any existing contracts.

For example, we reviewed the purchasing card transactions for 1 of those 61 merchants (which had 608 transactions totaling $680,000) to determine whether contracts were used and, if not, the potential benefit of using statewide purchasing data as a tool for making more economical purchases. In this one case, we found that the State often paid an excessive cost for services (advertising) rendered. Although one State agency entered into a contract with this merchant for its own use, our tests of 26 transactions totaling $32,000 made by other State agencies disclosed that for 17 items costing $20,000, the rate paid was 33% greater than the contract rate. As a result, the State could have saved $5,200 if it had received the contract rate. Finally, we noted that even the contract rate charged by this

merchant was substantially greater than rates offered by this merchant to certain other non-governmental customers. As a result, the benefits from the combined purchasing power of the CPCP, in the form of lower costs, were lost to the State. Our discussions with representatives of several procurement oversight agencies disclosed that these agencies would like to access and review statewide purchasing card information in order to ensure efficient and economical use of the purchasing card.

(30)

We recommend that GAD provide comprehensive statewide CPCP usage and procurement information to those State agencies responsible for the

centralized procurement of goods and services (for example, DGS, DBM). This would enable those agencies to identify opportunities for more efficient and economical card usage.

Finding 8

Managing for Results data did not adequately measure CPCP performance. Analysis

GAD’s Managing for Results data was not always accurately reported and was not sufficiently comprehensive, so the performance success of the CPCP could not be measured. For both fiscal years 2001 and 2002, GAD did not accurately calculate and present program performance regarding the “Total vendor payment

transactions eligible for card use” that is a key component in determining the size of the CPCP in relation to the Program’s potential. GAD had not analyzed the reported transactions to determine the actual number eligible for card use. This also affected the accuracy of the resultant “Corporate charge transactions as a percentage of eligible vendor payment transactions.” See Table 3 for published CPCP Performance Measures.

Table 3

CPCP Performance Measures as Published in Fiscal Year 2004 Budget Book

Measure 2001

Actual

2002 Actual

2003 Estimated

2004 Estimated

Corporate charge card

transactions1 578,104 652,638 717,902 789,692 Corporate charge card

purchases (millions)1 $164.8 $184.7 $203.2 $223.5 Total vendor payment

transactions eligible for card use

1,375,906 1,417,997 1,488,897 1,563,342 Corporate charge card

transactions as a

(31)

In addition, GAD’s performance measures were not sufficiently comprehensive to evaluate the effectiveness of the CPCP. Specifically:

! The current contract was awarded as a revenue-generating contract (due to the annual rebate); however, GAD had not developed any revenue-based performance measures. GAD can influence card use and the rebate through setting CPCP policy that increases purchase volume.

! Although the CPCP Manual states that the CPCP benefits the State by reducing the number of purchase orders, invoices and small dollar checks paid to vendors as well as more timely payment to vendors, GAD had not established any formal goals, measures or mechanisms to monitor

performance in these areas. (Available State records do indicate that the number of purchase orders processed through the State’s purchasing system decreased significantly since the advent of the program.) ! Another significant potential benefit from the use of purchasing cards,

which has not been included as a measure or otherwise analyzed, is the impact on staffing. A study in the August 2002 issue of the Government

Finance Review magazine indicated that governments that implemented

purchasing card programs had generally been able to either reduce staffing in related areas (such as procurement and accounts payable) or reassign staff to other functions.

We recommend that GAD take the necessary actions to ensure the accurate reporting of performance measures related to the CPCP. In addition, we recommend that GAD reevaluate its measures to help ensure that they sufficiently align with CPCP’s primary objectives.

Finding 9

Opportunities exist to maximize State agency purchasing card usage. Analysis

A process was not in place to formally ensure that the State maximized the use of the corporate purchasing card. Increasing card use could result in higher annual rebates and increased operating efficiencies (a reduction in paperwork and its related impact on staffing).

(32)

! We found certain management reports, which showed that approximately 700,000 of the State’s annual 1.4 million transactions under $2,500 (the normal transaction threshold for card use) were not completed with a purchasing card. But GAD had not reviewed this transaction information to identify opportunities for expanding use of the CPCP.

! GAD did not determine the feasibility for using purchasing cards for payment convenience purposes, especially for recurring high-dollar value transactions (such as telecommunication services and postage). For example, we identified three vendors with whom the State routinely conducts business ($31.1 million in fiscal year 2002), where the corporate purchasing card was generally not used for payment purposes. For fiscal year 2002, transactions $10,000 and over represented at least 68% of the total payments made to these three vendors. In addition, we contacted one of the three vendors who advised us that they would support the use of the purchasing card for payment of high-dollar transactions.

! Certain State agencies did not participate in the CPCP. For example, as of the end of our fieldwork, the Judiciary did not participate in the program and had not implemented a similar program for its own use. We were advised by GAD that it had repeatedly contacted the Judiciary about joining the State CPCP, but that the Judiciary was non-responsive to the offers. We contacted the Judiciary, and were informed by a management official that they were in the process of evaluating participation in the CPCP or establishing a separate program.

We recommend that GAD, in conjunction with the Board of Public Works and centralized procurement agencies (including the Judiciary), determine the feasibility of expanding program use, including using the cards to pay recurring transactions. Decisions to expand use should consider the related risks (such as the effectiveness of internal controls).

Contract Procurement

(33)

Exhibit 1

Agency Usage of the Corporate Purchasing Card

April 26, 2001 to June 25, 2002

Agency Number of

Transactions

$ Value of Transactions

Number of Cards1

University System of Maryland

(USM) – College Park 145,929 $45,775,759 1,405 USM - Baltimore 93,870 27,950,332 474

State Highway Administration 74,683 18,934,021 437 Department of Natural Resources 47,568 8,220,044 1,189 Department of Health and Mental

Hygiene 46,699 13,160,218 401 USM – Baltimore County 37,680 11,169,041 398

USM - Towson University 34,200 10,837,308 584 Department of Public Safety and

Correctional Services 29,189 11,569,315 255 Department of Education 16,548 4,302,679 232

Morgan State University 16,499 5,243,220 292

USM – Biotechnology Institute 15,410 5,033,048 80 Mass Transit Administration 14,588 3,596,540 186

USM – Eastern Shore 12,717 3,091,990 163 USM – Center for Environmental

Science 11,221 3,180,317 91 USM- Salisbury University 9,230 2,598,723 27

Department of Human Resources 8,545 2,333,395 177 USM - Frostburg State University 7,685 1,597,794 174

Military Department 5,830 1,441,927 44 Maryland Public Television 5,692 1,607,652 90

Maryland Port Administration 5,363 987,164 111 Department of Juvenile Justice 5,196 1,414,762 101 Motor Vehicle Administration 3,916 1,905,208 104

Department of the Environment 3,633 729,084 68 Maryland Aviation Administration 3,312 1,012,641 13

Department of General Services 3,310 582,106 83 USM - University of Baltimore 3,186 1,168,801 82

(34)

Exhibit 1 (continued)

Agency Usage of the Corporate Purchasing Card

April 26, 2001 to June 25, 2002

Agency Number of

Transactions

$ Value of Transactions

Number of Cards1

Department of Housing and

Community Development 3,147 784,771 61 St. Mary’s College 3,002 562,053 55

Maryland General Assembly 2,861 548,985 29 USM – University College 2,758 1,212,497 7 Baltimore City Community College 2,570 764,149 53

Department of State Police 2,004 615,900 9 Department of Transportation –

Office of the Secretary 1,769 611,936 19 USM – Systems Administration 1,651 285,413 19

Register of Wills 1,617 352,687 26 USM - Bowie State University 1,603 461,715 57

Department of Assessments and

Taxation 1,562 435,301 50 Office of the Comptroller 1,510 407,984 40

Department of Business and

Economic Development 1,340 420,199 26 USM - Coppin State College 1,239 586,944 3

Maryland Food Center Authority 1,056 95,702 16 Maryland Institute for Emergency

Medical Services Systems 1,034 180,840 16 All Others 8,999 2,311,544 215

Totals 701,421 $ 200,081,709 7,962

Source: General Accounting Division 1

Card count as of July 1, 2002

Agency purchasing card use reviewed by GAD. Two of the five agencies reviewed by GAD, Department of Agriculture and Public Service Commission, were not large enough to be listed separately on this schedule and are included in the “All Others” category.

(35)

(36)

Comptroller of Maryland

Corporate Purchasing Card Program

June 2002 – May 2003

Finding 1

Formal responsibility for oversight of the CPCP has not been established. Recommendation 1

We recommend that responsibility for oversight of the CPCP be formally established. Specifically, we recommend that GAD and other appropriate State agencies enter into a formal memorandum of understanding to establish areas of formal responsibility and authority over the various CPCP functions, including payment and procurement. These responsibilities should also address the various oversight issues raised elsewhere in this report.

Response 1

The auditor notes that the General Accounting Division has issued a policies and procedures manual on the Corporate Purchasing Card Program. In addition, the Division has established transaction limits for card use. The Division has implemented a statewide block on certain merchant category codes (e.g., liquor stores) to prevent agencies from using the card at certain establishments and the Division has conducted numerous training sessions for agencies. Furthermore, monthly the Division reviews agencies’ purchases on a statewide basis and develops a listing of questionable purchases and follows up with the respective state agency to determine the propriety of these purchases. The Division conducts, to the extent permitted by available resources, reviews of the corporate purchasing card program at state agencies and makes recommendations for improvement. The Division also issues one check each month to the bank for all corporate credit card purchases and allocates the charges to the respective state agencies’ appropriation accounts.

In addition, the Corporate Purchasing Card Program Steering Committee has been in existence since the inception of the program. Members include representatives from the General

Accounting Division, the Board of Public Works and the University of Maryland Systems. The committee meets on a monthly basis. At the inception of the Program a representative from the Department of General Services attended the meetings. When the DGS assigned representative retired, the Department did not assign a replacement to attend the meetings. We will again request participation from the Department of General Services. In addition, we will request that a representative from the Department of Budget and Management attend the meetings.

(37)

Comptroller of Maryland

Corporate Purchasing Card Program

June 2002 – May 2003

policy and procedures manual clearly states that state procurement regulations (COMAR Title 21) must be followed. Therefore, the formal responsibility and authority for procurement has remained unchanged. Furthermore, in our opinion the steering committee provides appropriate oversight vehicle for the program.

Finding 2

Agencies are not required to provide any assurance to GAD regarding the validity of monthly CPCP charges.

We recommend that GAD require agencies to provide written assurance as to the validity of their monthly CPCP charges.

Response 2

We agree with the auditors’ recommendation and will require a certification from the agencies. This certification will include statements that:

! Cardholder bank statements were reconciled to corresponding activity logs

! Documentation is available for each transaction listed on the cardholder bank statement

! All activity logs are signed by the cardholder and approved by supervisory personnel.

! The vendor was sent a written statement of all disputed items

This certification will be required within 45 days from the cycle end date. Any agency going two months without submitting a certification will have all their cards suspended until they complete this requirement.

Finding 3

Agencies’ purchasing card transactions were often not properly documented and certain transactions appeared to be inappropriate or questionable in nature.

We recommend that GAD, in conjunction with the applicable agencies, ensure that the aforementioned transactions are properly resolved, including obtaining reimbursement from employees if appropriate. In addition, we recommend that GAD reiterate to all participating agencies the need to comply with all CPCP Manual documentation guidance,

(38)

Comptroller of Maryland

Corporate Purchasing Card Program

June 2002 – May 2003

including retaining all components of the Activity Log and complying with procurement regulations.

Response 3

GAD has investigated all of the transactions identified by the auditor with the following results:

! GAD has reviewed the 4 transactions identified by the auditor as being undocumented

from the test selection of 97 transactions and has received documentation for all 4 of the transactions. Additionally, for 7 of the 8 transactions identified as having “incomplete documentation”, the state agencies have supplied GAD with complete documentation (signed log, invoice, etc.). For the one remaining transaction in the amount of $109.79 the Department of Public Safety was unable to locate the invoice.

! GAD has documentation that supports the appropriateness of 31 of the 37 transactions

identified as questionable. Specifically, in the instance of the hotel costs supported by a reservation form, GAD has received an itemized hotel receipt and a conference agenda listing the cardholder as a presenter representing the State of Maryland. Additionally, a transaction in the amount of $1,178.80 by the State Highway Administration was for the purchase of tires for a bi-directional tractor. The auditor also identified a purchase for “golf shirts” by a state university as questionable. Our investigation revealed that these shirts were for employee uniforms. The six remaining transactions with incomplete documentation lacked an approved activity log and in two instances an original invoice.

Table 1

Transactions with Incomplete Documentation

Agency Amount Vendor Purpose

DPSCS1 $227.10 Xpedx Copier paper *

MSU2 $24.55 Giant Food, Inc. Photo development for

program *

MSU $31.50 Deer Park Water Water for office

MSU $16.00 FedEx Package delivery

MSU $2,350.00 Visual Communications Audio visual equipment for

classroom

MSU $256.00 Visual Communications Audio visual equipment for

classroom * Agency unable to locate original invoice

(39)

Comptroller of Maryland

Corporate Purchasing Card Program

June 2002 – May 2003

! As a result of GAD’s investigation of transactions identified as “split purchases,”

documentation was supplied for 16 of the 27 items supporting them as being legitimate purchases made within COMAR guidelines. Specifically, in the instance where

telephones were purchased by the University of Maryland College Park, the order dates on the invoices show that the transactions are one month apart. In another instance, a review of documentation (monthly billing statement) for two transactions for the University of Maryland at Baltimore reveals that the transactions took place 2 weeks apart.

We are willing to cooperate with the auditors to expand the investigation, if necessary, to resolve this issue to the auditor’s satisfaction. In the event that further investigation reveals that any of these charges are inappropriate, GAD will take the necessary action including the suspension of the cards in question.

Review of the Activity Log is a part of our Agency Review process. Section 11.04 of the CPC manual clearly states: “The Activity Log may be recreated electronically, however, all current wording and signatures must be retained.” We will re-emphasize the current manual

documentation requirements as recommended and the CPC manual revision will reiterate the importance and necessity of the using the Activity Log as a control tool.

Finding 4

GAD’s oversight of CPCP use was not sufficiently comprehensive to ensure guidelines are followed by user agencies.

We recommend that GAD establish a formal enforcement process to help ensure significant deficiencies are corrected. This process should include sanctions, such as possible

termination of CPCP participation. We also recommend that GAD implement an agency review schedule based on a documented risk analysis and consider expanding the number of reviews performed. Finally, we recommend that GAD modify the existing CPCP review procedures to include all critical internal control components.

Response 4

Most of the problems detected by our limited review program were related to incomplete activity logs and failure to obtain signatures. When necessary, GAD senior management did meet with senior agency personnel to re-enforce the policies stated in the Comptroller’s Corporate

State Corporate Purchasing Card Program

Performance Audit Report