This is the accessible text file for GAO report number GAO-03-405 entitled 'FAA Purchase Cards: Weak Controls Resulted in Instances of Improper and Wasteful Purchases and Missing Assets' which was released on March 27, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products’ accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. Report to the Chairman, Committee on Transportation and Infrastructure, House of Representatives : March 2003: FAA PURCHASE CARDS: Weak Controls Resulted in Instances of Improper and Wasteful Purchases and Missing Assets: GAO-03-405: GAO Highlights: Highlights of GAO-03-405, a report to the Chairman, House Committee on Transportation and Infrastructure Why GAO Did This Study: In May 2002, GAO reported on breakdowns in purchasing controls at the Federal Aviation Administration’s (FAA) Alaskan Region that resulted in improper and wasteful purchases. Many of the weaknesses were associated with the use of government credit cards—referred to as purchase cards— and raised concerns that similar problems might exist FAA-wide. As a result, GAO was asked to determine whether FAA’s purchase card controls reasonably ensured that purchases were proper, at a reasonable cost, and for valid government needs. GAO also assessed whether assets bought with purchase cards were being properly safeguarded and recorded. What GAO Found: Weaknesses in FAA’s purchase card controls resulted in instances of improper, wasteful, and questionable purchases, as well as missing and stolen assets. These internal control weaknesses included inadequate segregation of duties, lax supervisory review and approval, missing purchase documentation, inadequate training, and insufficient program monitoring activities, all of which created an environment vulnerable to fraud, waste, and abuse. These weaknesses contributed to the $5.4 million of improper purchases GAO identified. Among these were purchases that were split into two or more segments to circumvent single purchase limits. GAO also identified over $630,000 in purchases that were considered wasteful—that is, excessive in cost, for questionable government needs, or both—or were considered questionable because they were missing a receipt to show what was actually purchased. Some examples of these are shown in the table below. [See PDF for image] [End of table] In addition, over half of the asset purchases—such as computers and other equipment—that GAO examined had not been recorded in FAA’s property system, increasing the risk of loss or theft. As a result, FAA could not locate or document the location of over a third of the 692 items that GAO attempted to observe. These missing items totaled almost $300,000. In separate internal reviews, one FAA location identified over 800 items, totaling almost $2 million, that were lost or stolen in fiscal years 2001 through 2002. Given systemic weaknesses in FAA’s property controls, the actual amount of missing or stolen equipment FAA-wide could be much higher. What GAO Recommends: GAO is making a number of recommendations to strengthen FAA’s internal controls and compliance in its purchase card program, decrease wasteful purchases, and improve the accountability of assets in order to reduce vulnerability to improper and wasteful purchases. FAA emphasized its commitment to a sound purchase card program and highlighted a number of completed or ongoing actions to strengthen controls. www.gao.gov/cgi-bin/getrpt?GAO-03-405. To view the full report, including the scope and methodology, click on the link above. For more information, contact Linda Calbom at (202) 512-9508 or calboml@gao.gov. [End of section] Letter: Results in Brief: Background: Scope and Methodology: Internal Controls Were Lacking or Ineffective: Noncompliance with Policies and Procedures Resulted in Some Improper Purchases: Poor Controls Resulted in Some Wasteful and Questionable Purchases: Poor Controls Contributed to Wasted or Missing Assets: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Comments from the Department of Transportation: Appendix II: Staff Acknowledgments: Acknowledgments: Tables: Table 1: Transactions Not in Compliance with Purchasing Requirements: Table 2: Transactions Identified as Wasteful or Questionable: Table 3: Examples of Transactions Where Invoice Documentation Was Missing: Abbreviations: AMS: Acquisition Management System: APC: Agency Program Coordinator: DOT: Department of Transportation: EAGLS: Electronic Account Government Ledger System: FAA: Federal Aviation Administration: GSA: General Services Administration: JWOD: Javits-Wagner-O’Day: OIG: Office of Inspector General: OMB: Office of Management and Budget: PDA: Personal Digital Assistants: PPIMS: Personal Property In-use Management System: UNICOR: Federal Prison Industries, Inc. : Letter March 21, 2003: The Honorable Don Young Chairman Committee on Transportation and Infrastructure House of Representatives: Dear Mr. Chairman: The use of purchase cards in the federal government has dramatically increased in past years as agencies have sought to eliminate the bureaucracy and paperwork long associated with making small purchases. The benefits of using purchase cards are lower costs and less red tape for both the government and the vendor community. However, given the nature, scale, and increasing use of purchase cards, it is important for agencies to have adequate internal controls in place to help ensure proper use of purchase cards and thus to protect the government from waste, fraud, and abuse. In September 2001, the Department of Transportation’s (DOT) Office of Inspector General (OIG) issued a report on the results of its audit of DOT’s government purchase card program.[Footnote 1] That review examined 785 fiscal year 2000 purchase card and convenience check transactions made by 9 of DOT’s 11 operating administrations.[Footnote 2] Based on its review of this limited sample of transactions, the OIG reported that purchases were reasonable, valid, and received. However, the OIG also noted that within the Federal Aviation Administration (FAA), internal controls were weak concerning verification of purchases, splitting purchases to avoid purchase card limits, and performing reviews of purchase card usage. Subsequently, we reviewed purchasing controls and activities--including those involving the use of purchase cards--within the Airway Facilities Division at FAA’s Alaskan Region and found similar internal control weaknesses.[Footnote 3] These included an inadequate supervisory review and approval process, an inadequate segregation of duties, and a lack of oversight of spending that allowed improper and wasteful expenditures to occur. Given these results, you requested that we conduct an in-depth audit of FAA’s purchase card and convenience check transactions for fiscal year 2001 to determine the validity of purchase card and convenience check usage.[Footnote 4] Consequently, we designed our review to determine if FAA’s (1) internal controls provided reasonable assurance that improper purchase card and convenience check purchases would not occur or would be detected in the normal course of business, (2) purchase card and convenience check expenditures were made in accordance with established policies and procedures, (3) purchases were made for reasonable costs and valid government needs, and (4) controls over purchase card and convenience check asset acquisitions were adequate to properly record and safeguard assets. Results in Brief: Significant internal control weaknesses in FAA’s purchase card program made the agency vulnerable to and in some cases resulted in improper, wasteful, and questionable purchases, as well as missing assets. These weaknesses included inadequate segregation of duties over purchases; lax supervisory review and approval of purchases; lack of required documentation for purchases; inadequate training for cardholders, approving officials, and agency program coordinators; and a lack of or inadequate monitoring activities. For example, we found instances where supervisors had approved payment of transactions even though key documentation to support the purchases was missing. Despite prior audit reports dating back to 1997 communicating some of these weaknesses, we found the same weaknesses continued during our review, which covered fiscal year 2001. Because of these internal control breakdowns, FAA did not have reasonable assurance that improper purchases would be prevented or detected in the normal course of business. The lack of adequate internal controls and monitoring of the program created an environment in which improper purchases--meaning those that violated law, regulation, or FAA policy--could be made with little risk of detection. Inadequate controls over expenditures, combined with the inherent risk of fraud and abuse associated with the purchase cards, resulted in improper purchases totaling $5.4 million. This included 997 transactions totaling $5.1 million associated with purchases that had been split into two or more segments to avoid the cardholder’s single purchase limit. We also found 54 instances of unauthorized purchase actions, whereby someone other than the cardholder had made the purchase.[Footnote 5] For example, at the direction of one cardholder’s supervisor, other staff in the office used the cardholder’s purchase card number to make 21 purchases of computer and office equipment totaling over $149,000. Although these types of policy violations are subject to disciplinary action, we generally found that action had not been taken against the cardholders or approving officials. Failure to comply with applicable policies and procedures lessens FAA’s ability to ensure that funds are being properly obligated and spent. The inadequacy and ineffectiveness of internal controls was also evident in 114 purchase transactions totaling $222,602 that we considered wasteful because they were excessive in cost, for questionable government need, or both. For example, we identified 25 purchases for 123 personal digital assistants (PDA) that ranged in cost from $100 to $558 each, and accessories such as six high-cost leather PDA cases purchased from the Coach store totaling $717. In addition, we identified almost $17,000 paid to Internet service providers such as America Online for individual FAA employees, despite the fact that FAA provides Internet access for all staff. We also found 162 transactions totaling $407,356 that we considered questionable, such as purchases from BestBuy.com totaling $2,440 and Ashford.com (a jewelry Web site) for $78. While such merchandise could easily have been for personal use and not for official government use, missing documentation prevented us and other reviewers from determining the reasonableness and validity of these purchases. While the $6.1 million of improper, wasteful, and questionable purchase card and convenience check purchases we identified is relatively small compared to the over $150 million in total annual purchase card and convenience check activity, it demonstrates vulnerabilities from weak controls that could easily be exploited to a greater extent. In addition, because we only tested a small portion of the transactions we identified that appeared to have a higher risk of fraud, waste, or abuse, there may be other improper, wasteful, and questionable purchases in the remaining untested transactions. Inadequate internal controls over computers and other property acquired with the purchase card contributed to unrecorded and missing equipment. Specifically, from our detailed testing of transactions, we found that FAA had not recorded 262 asset-related transactions totaling $4.1 million in its property management system. In addition, during our unannounced physical inventory, we identified 238 items, totaling $287,766, that FAA could not locate. Of these, 202 items were missing, and FAA reported that the remaining 36 items had been transferred to other FAA locations or returned for repair or replacement, but could not provide documentation to support these claims. In addition to the items we found missing, we noted that at one FAA location, the property management division identified 405 items totaling over $900,000 that were lost or stolen in fiscal year 2001 and another 437 items totaling over $1 million that were lost or stolen in fiscal year 2002. These lost or stolen items were primarily identified through physical inventory counts performed during those years. We also noted poor physical controls over FAA’s computer-related assets. Given the systemic weaknesses we identified in FAA’s property controls, the actual amount of missing or stolen equipment agencywide could be much higher. Decentralized procedures for receiving property acquisitions, inadequate safeguarding of assets, and inconsistent recording of those assets in FAA’s property management system created an environment in which assets could be easily lost or stolen without detection. Management’s commitment to addressing and correcting these problems is necessary to reduce FAA’s vulnerability to improper and wasteful expenditures and lost or stolen assets. We are making a number of recommendations that, if properly implemented, will improve internal controls over FAA’s purchase card and convenience check program to help ensure that improper and wasteful purchases are prevented or detected in the future and vulnerable assets are better accounted for and protected. In its comments on a draft of this report, DOT described several actions completed or under way to address our recommendations and expressed its commitment to running a sound purchase card program in compliance with applicable requirements. Background: The General Services Administration (GSA) administers the federal government’s credit card program. GSA contracts with commercial banks to issue credit cards to federal employees to make official government purchases. FAA’s purchase cards[Footnote 6] are issued by Bank of America. The FAA purchase card, unless otherwise prohibited, is intended to be the primary purchasing method when vendors accept purchase cards as payment. This payment method is intended to streamline procurement and payment procedures and reduce administrative burden by reducing the number of procurement requests, purchase orders, and vendor payments issued. FAA’s purchase card program also includes the use of convenience checks to pay vendors that do not accept credit cards. In fiscal year 2001, FAA made over 364,000 purchases using purchase cards and convenience checks totaling $151 million. This reflects a significant increase over the prior fiscal year, when FAA made a total of 271,000 purchase card and convenience check purchases (a 34 percent increase) totaling $126 million (a 20 percent increase). The Department of Transportation and Related Agencies Appropriations Act of 1996 exempted FAA from the Federal Acquisition Regulation and other provisions of acquisition law, and directed the FAA Administrator to develop and implement FAA’s own acquisition system. The resulting system, called the FAA Acquisition Management System (AMS), took effect April 1, 1996. AMS establishes policy for all aspects of the acquisition life cycle. It was intended to simplify acquisition management into a system providing more timely and cost-effective acquisition of equipment and materials. Although FAA is exempted from certain federal acquisition requirements, many of these requirements have been incorporated into FAA’s policies. FAA also established the FAA Acquisition System Toolset that supplements AMS by providing additional acquisition policy and guidance, such as the Commercial and Simplified Purchase Method guidance, which provides guidance on purchase cards and convenience checks.[Footnote 7] Within this guidance, FAA delegates to each acquisition office within a region or center, or within headquarters the responsibility of managing its own purchase card program and establishing its own internal processes for issuing purchase cards and monitoring the program. In addition, FAA’s internal Purchase Card/Check User Guide assists cardholders and approving officials in carrying out their responsibilities. GSA and Bank of America also provide purchase card guidance and GSA provides training that is available to cardholders, approving officials, and program coordinators. For example, GSA’s Blueprint For Success: Purchase Card Oversight was prepared by a working group of agency program coordinators (APC) and provides general program guidance to APCs in performing their responsibilities. Beginning in fiscal year 2003, GSA made available to APCs a Web-based on-line training course covering such topics as APC responsibilities, reporting tools, and preventive measures to use in monitoring the purchase card program. APCs are generally responsible for setting up and maintaining all accounts, developing internal program guidelines and procedures, ensuring that cardholders and approving officials receive proper training, and monitoring for fraud and misuse. Each agency must designate an APC to function as the agency’s primary liaison to the contract bank and to GSA. FAA’s operating guidance also requires the chief of the contracting office within each region or center and within headquarters to delegate a person or persons to act as the APC for that location. As a result, FAA has a different APC at each of its 12 major locations,[Footnote 8] with the headquarters APC designated agencywide responsibility for the program. Cardholders are responsible for understanding and complying with purchasing policies and procedures, maintaining records and receipts of all purchases, reconciling their purchases to their monthly statements, and preparing and submitting required property management forms for assets purchased. Each cardholder’s designated approving official-- which is normally the next level supervisor--is responsible for reviewing the cardholder’s transactions to assure they are properly documented, comply with purchasing policies, and are necessary for accomplishing the mission of the agency. Approving officials are also responsible for reporting fraudulent or improper use of the card. As of January 2002, 8,534 out of 51,062 (17 percent) FAA employees had commercial purchase cards, most of which had a single purchase limit between $2,500 and $10,000 and a monthly purchase limit between $5,000 and $120,000. Each convenience check issued is not to exceed $2,500. Other key roles affecting purchases include the accounting certification officer (also known as the funds certification officer), and the property custodian. FAA’s procurement guidance specifies that, prior to purchase, the program office funds certification officer shall determine whether the expenditure is authorized by the appropriation and provide either a written certification that adequate funds are available or condition the purchase upon availability of funds. Property custodians are responsible for reviewing and processing source documents for the receipt, transfer, or disposal of accountable property[Footnote 9] in their assigned custodial areas, conducting physical inventories, and ensuring that property is adequately safeguarded. In September 2001, DOT’s OIG issued a report on the results of its audit of DOT’s purchase card program.[Footnote 10] The OIG examined a total of 785 purchase card and convenience check transactions totaling $1.2 million made by FAA, the U.S. Coast Guard, and seven other DOT operating administrations. Based on this limited sample, the OIG reported that generally, purchases were reasonable, valid, and received. However, it also reported that (1) approving officials were not verifying that purchases were authorized, (2) cardholders were splitting single purchases into multiple transactions to avoid purchase card limits, and (3) FAA was not conducting periodic follow-up reviews of purchase card usage. The OIG also found instances of purchase card fraud and violations of DOT policies and internal control procedures. These results were similar to those found during the OIG’s previous review of DOT’s purchase card program. In November 1997, the OIG reported that approving officials were not performing required reviews of documentation, cardholders were splitting purchases, and periodic follow-up reviews were not being conducted.[Footnote 11] It recommended at that time that DOT reemphasize the requirement for approving officials to review supporting documentation for cardholder purchases and provide guidance for conducting periodic follow-up reviews. The OIG indicated in these reports that DOT and FAA actions taken and planned to address the recommendations sufficiently addressed the recommendations made. However, based on our findings the corrective actions taken were not fully effective. In May 2002, we issued a report on the results of our review of purchasing controls and activities within the Airway Facilities Division at FAA’s Alaskan Region.[Footnote 12] This was the only unit in FAA to implement a pilot program, called the Corporate Maintenance Philosophy, from 1997 to 2001. Due to controversy surrounding this program, including allegations of inappropriate spending, we reviewed this unit’s internal controls and selected expenditures. With respect to its purchase card program, we found: * inadequacies in the segregation of purchasing duties, the supervisory review and approval process, and the tracking of accountable property and award inventories; * improper purchases, such as purchases that were split to circumvent purchase limits, restricted items that were purchased without required approvals, and items that were not bought from required vendors and lacked the necessary waivers to do so; * purchases of expensive items such as flat panel computer monitors costing over $3,000 each and PDAs ranging from $300 to over $500 each; and: * a decentralized operating environment and a lack of training that contributed to these weaknesses. Our report resulted in 18 recommendations to FAA to address these issues. In its response to this report, FAA agreed with the recommendations and indicated it had initiated action to address all of the issues. Scope and Methodology: The scope of our review included FAA headquarters, FAA’s two centers, and eight of its nine regional offices.[Footnote 13] We conducted site visits to six of these locations. To obtain an understanding of FAA’s purchase card and convenience check policies and procedures, the related internal controls, and policies and controls over assets purchased, we: * reviewed FAA’s AMS policy, procurement guidance, purchase card/check user guide, property management policies, and local operating procedures over the purchase card program, and: * conducted walkthroughs and structured telephone interviews with FAA management and staff to identify key purchase card, convenience check, and accountable property policies, procedures, and initiatives. To assess the adequacy of internal controls, we used our Standards for Internal Control in the Federal Government,[Footnote 14] Internal Control Management and Evaluation Tool,[Footnote 15] Guide for Evaluating and Testing Controls Over Sensitive Payments,[Footnote 16] and Strategies to Manage Improper Payments.[Footnote 17] To test internal controls over transactions and determine whether expenditures were made in compliance with policies and procedures, were reasonable, and had a valid government need, we selected transactions using three different methods. For each method of selection, we provided FAA with the transactions selected and obtained and reviewed related supporting documentation. The three methods are as follows. * Data mining.[Footnote 18] We performed data mining on Bank of America’s database of FAA’s fiscal year 2001 purchase card and convenience check transactions for indicators of potential noncompliance with established policies and procedures. Specifically, we looked for purchases that exceeded cardholder or convenience check spending limits, split purchases, cardholders with multiple purchase cards, former employees who had active purchase card accounts after their separation dates, cardholders who were payees on convenience checks, and cash advances. We forwarded the results of all transactions that met specific criteria to the cognizant APCs for their responses and related documentation, which we used to assess whether in fact these were violations of policy. * Statistical sampling. We selected a stratified random (statistical) sample of 333 transactions totaling $4.2 million from the population of transactions paid from October 1, 2000, through September 30, 2001, to test specific control activities, such as segregation of duties, evidence of approving official review and approval, and adequacy of supporting documentation; whether the purchases complied with purchasing policies; and whether the purchases appeared reasonable and had a valid government need. Results from the statistical sample were projected to the population[Footnote 19] of FAA purchase card and convenience check transactions for fiscal year 2001. * Nonstatistical sampling. We also selected transactions on a nonstatistical basis to allow us to identify transactions that appeared to have a higher risk of fraud, waste, or abuse, although the results cannot be projected to the overall population of purchases. To select these transactions, we first performed data mining on fiscal year 2001 transactions to identify purchases from certain vendors that would more likely be selling unauthorized or personal use items; purchases made on the weekends, during holidays, or at fiscal year-end; and purchases of sensitive assets. This resulted in tens of thousands of transactions identified, from which we then selected 1,874 transactions totaling $7.9 million to test whether these purchases were made at excessive cost and/or for questionable government needs, and whether they complied with select purchasing policies and procedures. To determine if controls over purchase card and convenience check equipment acquisitions were adequate to properly record and safeguard assets, we did the following. * Reviewed policies and procedures over the management and control of accountable property and sensitive items.[Footnote 20] * Tested accountable property selected in the statistical and nonstatistical samples to determine whether these assets had been entered into FAA’s property management system prior to our review. * Selected 81 transactions for equipment purchases made by four FAA locations to conduct an unannounced inventory of desktop computers, laptops, and other sensitive items that were purchased with government purchase cards or convenience checks. While we identified some improper purchases, our work was not designed to identify all fraudulent or otherwise improper purchases made by FAA. We conducted our review from January through December 2002 in accordance with generally accepted government auditing standards. We requested written comments on a draft of this report from the Secretary of Transportation or his designee. Written comments were received from the department’s Assistant Secretary for Administration and are reprinted in appendix I. Internal Controls Were Lacking or Ineffective: FAA’s internal controls did not provide reasonable assurance that improper purchase card and convenience check purchases would not occur or would be detected in the normal course of business. Internal controls serve as the first line of defense in safeguarding assets and in preventing and detecting fraud, waste, and abuse. Our Standards for Internal Control in the Federal Government requires that (1) key duties and responsibilities be divided or segregated among different people to reduce the risk of error or fraud, (2) transactions and other significant events be authorized and executed only by persons acting within the scope of their authority, (3) all transactions and other significant events be clearly documented, and the documentation be readily available for examination, (4) management ensure that its workforce has the required skills necessary to achieve organizational goals, and (5) internal control monitoring be performed to assess the quality of performance over time and ensure that audit findings are promptly resolved. We found that FAA lacked these key internal controls or had not adequately implemented them, increasing the risk that improper purchases could occur. Segregation of Purchasing Duties Was Inadequate: We identified limited segregation of duties during our detailed tests of transactions. From the statistical sample of 333 purchase card and convenience check transactions, 93 lacked evidence of adequate segregation of duties. Based on the results of our review of these transactions, we estimate that $44 million[Footnote 21] of the total sampled population of purchase card and convenience check transactions lacked adequate segregation of duties. What we found most often was that the cardholder requested the purchase, placed the order, and picked up or received the acquired goods without any other review or approval. Although 68 of the 93 transactions had evidence of the approving official’s review and approval, we determined that adequate segregation of duties did not exist because the cardholder had performed a majority of the purchasing duties with little if any oversight. For example, we noted an instance where an employee at one location served as the funds certification officer, approving official, and property custodian for purchases in her area. Consequently, she certified that funds were available for purchases; reviewed and approved purchases made by cardholders under her supervision; and accounted for, recorded, and maintained property inventory records for assets purchased. We also found that 7 of FAA’s 12 APCs and 4 alternates were also cardholders. One of these APCs also served as an approving official. Because APCs are responsible for monitoring cardholders’ and approving officials’ activities for indications of potential fraud, waste, and abuse, these APCs were essentially monitoring their own activities. In fact, the cardholder with the largest dollar volume of charges in FAA during fiscal year 2001, totaling $4 million, was an APC. Several factors contributed to these segregation of duties weaknesses. From our discussions with several APCs, we noted that generally, segregation of duties was not an area of focus in the training for cardholders and approving officials. We also were told that certain field offices may not be able to adequately segregate purchasing duties because of the small number of employees located at those sites. In addition, we found that FAA’s operating guidance did not specify how purchasing duties should be separated. Although the guidance describes key duties and responsibilities involved in the purchasing process, it generally does not specify that these key duties and responsibilities be segregated among different people. For example, the guidance states that an approving official is normally the cardholder’s immediate supervisor. However, the guidance does not require other key roles, such as the funds certification officer and the property custodian, to be filled by someone other than the cardholder and the approving official. Lacking appropriate segregation, FAA cannot ensure that purchases are appropriate, have been duly authorized, and comply with purchase requirements. Supervisory Review and Approval Process Was Inadequate: Because the only segregation of duties required by FAA policy is between the purchaser and approving official for a particular transaction, the approving official often may be the only party aside from the purchaser who reviews the transaction. Consequently, the approving official’s review is a critical internal control for ensuring that purchases are appropriate and comply with FAA requirements. However, we found FAA’s supervisory review and approval process was inadequate for ensuring that purchases were proper. Specifically, we found numerous transactions that did not have evidence of supervisory approval, had been approved even though they were missing key documents, did not comply with one or more purchasing policies or procedures, or were wasteful purchases. We also identified duplicate charges that had not been promptly disputed with the bank to ensure that they were removed from accounts and refunded to FAA. Review of transactions by persons in authority is the principle means of assuring that transactions are valid. Although FAA requires that approving officials review and approve cardholders’ purchases, this was not consistently done. For example, of the 333 purchase card and convenience check transactions in the statistical sample, 52 transactions lacked evidence of approving official review. Based on the results of our review of these transactions, we estimate that $27 million[Footnote 22] of the total sampled population of purchase card and convenience check transactions lacked evidence of approving official review. We also nonstatistically selected 1,874 transactions from fiscal year 2001 that appeared to have a higher susceptibility to fraud, waste, and abuse, and found that 419 of these transactions (22 percent) also lacked evidence of supervisory review. Because the approving official review is the first, and sometimes only, line of defense for detecting improper transactions, it is critical that approving officials perform and document adequate, timely reviews. The number of purchase transactions that had been approved even though they were missing key documents further illustrates FAA’s inadequate supervisory review and approval. Specifically, from our statistical and nonstatistical samples, we noted 155 transactions totaling $402,439 were missing key purchase documents such as a credit card slip or invoice, yet approving officials still approved 66 of these purchases.[Footnote 23] Missing invoice documentation raises questions about the adequacy of the approving official’s review, since without such documentation, it can be difficult to determine what was purchased based on the cardholder’s monthly credit card statement alone. For example, we identified a $1,240 transaction at Sears, Roebuck and Co. that the cardholder claimed was used to purchase a refrigerator. However, the monthly billing statement only indicated where the purchase was made, and did not contain a description of what was purchased. Without a credit card receipt or invoice, we could not verify what was purchased or whether it was being used for government purposes. As noted later in this report, we also found that cardholders throughout the agency made numerous improper purchases (i.e., purchases that did not comply with one or more purchasing policies or procedures) and wasteful purchases (i.e., purchases that were excessive in cost or for questionable government needs) that nevertheless were approved. Without documented approval and a thorough review of all supporting documentation by approving officials, there is no assurance that items purchased comply with purchasing requirements and have a legitimate government purpose. For example, in fiscal year 2001 a former FAA employee was convicted of illegally making over $58,000 in personal charges with his government purchase card over at least a 9-month period, including numerous purchases made at various auto specialty businesses and a custom auto body shop. We could not determine from the case documentation provided to us whether the cardholder’s supervisor approved any of these purchases. However, had the approving official timely and thoroughly reviewed the credit card statements and supporting documentation for each transaction, he could have identified numerous improper purchases at vendors such as Commercial Van Interiors, Exclusive Window Tint, The Custom Shop, and Fairway Chevrolet on the government purchase card. In another case, a cardholder made six cash advances totaling $1,800 that occurred over four monthly billing cycles. File documentation contained a copy of one of the cardholder’s bank statements from that period. Although cash advances are prohibited, the authorizing official approved this statement even though the charges on that statement included three cash advances. In addition, the cash advances were made at two gambling establishments, including one called the Normandie Club, which should have raised at least some suspicions on the part of the approving official in reviewing the cardholder’s statement.[Footnote 24] These violations were not identified by the approving official, but were identified by the accounting department. The cardholder was reprimanded and the account was closed. However, FAA officials informed us that because the cardholder repaid the cash advances, no further disciplinary actions were taken against the cardholder. In addition, no disciplinary actions were taken against the approving officials in either case, despite the fact that approving officials are responsible for reviewing all transactions against supporting documentation and reporting potential fraud and abuse by cardholders. We also noted that three transactions totaling $3,712 were charged twice to cardholders’ accounts and had not been credited at the time of our review. Bank of America only allows a cardholder 60 days from the time a disputed transaction first appears on a cardholder’s monthly credit card statement to submit a written dispute form to the bank, but the cardholders in these three cases did not do so. In each case, the cardholders initiated verbal inquiries to the vendor or to Bank of America regarding the duplicate charges, but did not follow through with written dispute forms as required. In addition, approving officials did not perform timely follow up with the cardholders to ensure that the written dispute forms were submitted promptly. Therefore, these erroneous charges were not credited back to the cardholders’ accounts, and FAA was not reimbursed for the duplicate payments made to the bank. One factor that might contribute to FAA’s inadequate supervisory review is that, in certain instances, there was a high ratio of cardholders to approving officials. Having a manageable number of cardholders is essential for approving officials to be able to conduct timely, thorough reviews of transactions to help facilitate detection of possible purchase card misuse and fraud. Although there is no definitive requirement, GSA’s Blueprint for Success: Purchase Card Oversight indicates that most approving officials are assigned from 4 to 10 cardholders each. However, we found that 228 of FAA’s 1,741 approving officials, or 13 percent, were assigned from 11 to 47 cardholders each.[Footnote 25] FAA’s operating guidance does not address the number of cardholders that would be appropriate to enable approving officials to adequately perform their supervisory responsibilities. However, approving officials who have more cardholders than they can effectively supervise are less likely to adequately perform their responsibilities in a timely manner. Some Purchases Lacked Key Documentation: We found that some of FAA’s purchase card transactions lacked key supporting documentation. FAA’s procurement guidance requires that all purchase transactions made by a cardholder must be supported by a certification of funds availability and an invoice or credit card slip. Furthermore, FAA Order 1350.15B, Records Organization, Transfer, and Destruction Standards, requires that acquisition records for purchases of $25,000 or less be maintained for 3 years after final payment. Acquisition records for purchases exceeding $25,000 should be maintained for 6 years and 3 months after final receipt of goods or services. Of the 333 transactions tested in the statistical sample, we found 18 instances where FAA lacked an invoice, credit card slip, or other store receipt. Based on these results, we estimate that $8 million[Footnote 26] of the total fiscal year 2001 purchase card and convenience check transactions lacked key supporting documentation. Similarly, our review of 1,874 nonstatistically selected transactions identified 131 transactions (7 percent) totaling $356,487 that were missing such key purchase documents.[Footnote 27] In some instances, cardholders or FAA employees indicated that the invoice had been lost, shredded, or not retained when the cardholder retired or separated from FAA. However, we also found instances where no explanation was provided as to why cardholders could not submit supporting documentation as of the end of our fieldwork. The invoice is the basic document that cardholders are required to attach to their monthly statements for approving official review. Without such documentation, FAA does not have any independent evidence of the description and quantity of what was purchased and the price paid. Therefore, it cannot determine whether the purchase was appropriate. Although the percentage of missing invoices was lower than the exceptions for other internal control activities we tested, we believe it is still unacceptable for such a key document. A valid invoice to show what was purchased and the price paid is a basic document for these transactions, and a missing invoice could be an indicator of potential fraud. A near zero failure rate is a reasonable goal considering that invoices are easily obtained or replaced when inadvertently lost. We also identified 178 instances in the statistical sample where FAA lacked a written certification from the responsible fiscal authority that funds were available to make the specific purchase. Based on the results of our review of these transactions, we estimate that $84 million[Footnote 28] of the total sampled population of purchase card and convenience check transactions lacked a written certification that adequate funds were available. FAA requires this documentation to help ensure compliance with the Anti-Deficiency Act (31 U.S.C. 1341) and other fiscal laws that require that specific expenditures be authorized under the particular appropriation to be charged, and that funds are available in the appropriation for the expenditure. Training Was Inadequate to Perform Key Functions: With the many purchase requirements that cardholders, approving officials, and APCs must follow, adequate training is essential for them to perform their duties effectively. However, we found that FAA had not provided adequate training for these key purchase card program participants. Our Standards for Internal Control in the Federal Government states that training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. FAA’s purchase card procurement guidance requires APCs to ensure that both cardholders and approving officials receive proper training on the policies and procedures for use of the card. However, it does not specify how frequently such training must be provided. Although APCs are required to provide initial training to cardholders and approving officials, they are not required to provide any refresher training on an ongoing basis. The lack of refresher training may have contributed to the numerous policy violations we identified during our detailed testing (as discussed later in this report), such as purchases that exceeded various purchasing limits, purchases that were not made from required vendors, and purchases of accountable property that were not recorded in the property management system. Cardholder responses to our questions on these control areas also indicated that they were not aware of key requirements. For example, during our transaction testing, one cardholder said that certification of funds availability--which FAA policy clearly states must be performed for all transactions prior to purchase--was not required at the time of purchase. Another cardholder said it was not required because the particular transaction was under $2,500, while a third cardholder noted that the manager’s signature on the credit card statement constituted certification of funds. FAA recently began implementing steps to ensure that existing cardholders and approving officials obtain refresher training on the purchase card program. For example, an FAA memorandum from the Assistant Administrator for Regional and Center Operations, dated April 25, 2002, emphasized that all cardholders and approving officials under her line of reporting would be required to obtain refresher training, although no final date for completion of training was given. Another FAA memorandum, dated April 30, 2002, from the Assistant Administrator for Financial Services and Chief Financial Officer also recommended, but did not require, that all parties involved in the purchase card program take periodic refresher training. Since then, some APCs have taken actions to implement the applicable requirements/recommendations at their locations. For example, at one FAA location the APC began requiring all cardholders and approving officials to complete purchase card retraining, including reading FAA’s internal purchase card operating procedures and certifying completion, reading GSA’s Blueprint for Success: Purchase Card Oversight, completing GSA’s on-line quiz, and submitting the certificate of completion to the APC. We were informed that the APC closed 40 cardholders’ accounts for failure to comply with the retraining requirement. This APC also held six “special emphasis” training sessions for all cardholders and approving officials, which emphasized areas of weakness that we had identified during our site visit. Another APC developed a database for her location to track the dates that cardholders and approving officials completed the initial and updated training. While FAA has begun to address the lack of refresher training for its cardholders and approving officials, the agency still has no specific training requirement or courses for its APCs. Adequate training for APCs is critical because they are responsible for overseeing the entire purchase card program. While FAA’s procurement guidance requires APCs to ensure that cardholders and approving officials receive proper training, the guidance is silent on ensuring the same for APCs. Consequently, the training available to APCs during fiscal year 2001 was limited to training offered by GSA and Bank of America; however, these sources were not fully utilized. For example, GSA conducts an annual governmentwide conference to train APCs on account administration, program management, reporting tools available for monitoring the program, and the banks’ various electronic access systems. However, we noted that only 6 of FAA’s 12 APCs attended GSA’s August 2002 training conference, and only 1 of the APCs attended any bank-sponsored training during fiscal years 2001 and 2002 for the purchase card program. As FAA makes changes to strengthen controls over the purchase card program, APCs require detailed guidance and training for carrying out some of these initiatives. However, they have not always received this. For example, an April 30, 2002, FAA memorandum, required each region and center, and the headquarters office to begin conducting annual reviews of purchase card and convenience check transactions effective fiscal year 2002. Although the memorandum provided information regarding the type of sampling methodology to use, what to review, and the criteria to be used when conducting the annual review, there was no discussion regarding the population to be used in selecting the sample or specific data analysis techniques to be performed to identify potentially fraudulent, improper, or questionable transactions. In addition, the annual review only focused on reviewing the cardholder’s records for compliance with limited policies and procedures, and did not include an assessment of key control activities such as assessing the ongoing need for cards, appropriate segregation of duties, and record retention. Without detailed guidance and commensurate training, locations may not conduct adequate annual reviews. In addition, inconsistent methodologies used to perform reviews may not provide meaningful results for determining how the overall program is functioning. As noted later in this report, we identified instances where APCs were unaware of the monitoring tools available to them or were untrained in how to use them. Without proper training, APCs are limited in how effectively they can manage their programs, which in turn limits their ability to prevent and detect fraud, waste, and abuse. Program Monitoring Was Inadequate: FAA did not adequately monitor and evaluate the effectiveness of controls over its purchase card program to ensure that findings of audits were promptly resolved. The OIG reported deficiencies in DOT’s departmentwide purchase card program, which included FAA, as far back as 1997, yet FAA did not take sufficient action to address these weaknesses. For example, in the 1997 review[Footnote 29] the OIG reported that cardholders purchased restricted and prohibited items and made split purchases to circumvent cardholders’ single purchase limits; approving officials did not adequately perform required supervisory reviews, such as reviewing the documentation to support cardholder purchases; and operating administrations did not statistically sample purchase card transactions for potentially improper purchases in part because they lacked adequate guidelines or procedures to do so. DOT’s primary response was to issue memorandums reiterating purchasing requirements, and issue guidance for conducting statistical reviews. However, it did not follow up to determine whether those actions were sufficient to resolve the cited weaknesses. Consequently, the OIG reported similar audit results in 2001,[Footnote 30] finding that cardholders continued to make split purchases, primarily at FAA; approving officials were not verifying that purchases were authorized; FAA was not sampling purchase card transactions to determine if purchases were authorized and complied with purchasing requirements; and disciplinary actions were inconsistent when cardholders or approving officials violated policies. As in 1997, DOT and FAA responded primarily by issuing memorandums and guidance. Although FAA management stated that the headquarters APC would begin performing internal audits of the purchase card program, the headquarters APC informed us that these internal reviews would be limited to headquarters’ purchase card activity and would not cover the controls or transactions at FAA’s 11 regions and centers. Without adequate monitoring to determine whether policies are being properly implemented, the issuance of new policies and guidance was generally ineffective. Our May 2002 report on FAA’s Alaskan Region purchases[Footnote 31] and this report identified many of the same weaknesses reported by the OIG as well as other findings. While the work performed by the OIG and us differed as to the specific scope and periods covered, the nature and scope of weaknesses identified were indicative of insufficient attention by management to establish and maintain sound internal controls over its purchase card program. Despite these repeated warnings, FAA management has not ensured that its efforts to address audit findings have actually corrected the problems. In April 2002, the Office of Management and Budget (OMB) directed all federal agencies to prepare a remedial action plan for their purchase card programs about the adequacy of internal control systems that monitor the use of purchase cards. DOT’s plan, which was approved by OMB on August 8, 2002, set forth several actions it planned to complete by November 30, 2002, such as reviewing cardholder spending limits to ensure that limits match cardholders’ needs, and reviewing, adjusting, and restricting certain merchant category codes to lessen the risk of fraud or misuse. We noted that FAA was still in the process of implementing these actions at the end of our fieldwork. The inadequate follow-up on prior audit findings may be due in part to the lack of centralized oversight of FAA’s purchase card program. During our entrance conference with FAA officials, they admitted that no oversight or monitoring was performed at the FAA-wide level due to FAA’s decentralized operations and reporting structure. Consequently, they were unable to provide us even basic information about their overall purchase card program, such as the total number of cardholders and approving officials, or the volume of purchase card activity. FAA officials stated that the headquarters APC was FAA’s designated national representative, which the APC acknowledged. However, we found no monitoring activities directed at assessing overall program results, evaluating internal control and compliance with purchasing procedures, or ensuring that local purchase card policies and procedures were consistent with FAA acquisition policy. With the lack of centralized oversight of the purchase card program, FAA has had to rely upon the 12 individual APCs (1 at each location) to manage activities within their jurisdictions. However, we found that APCs’ primary attention appeared to focus on basic program activities such as opening and closing cardholder accounts and providing training for new cardholders and approving officials, with little if any attention paid to monitoring for compliance with program requirements or for improper purchases. Consequently, we found that APCs generally were not (1) consistently utilizing Bank of America’s Electronic Account Government Ledger System (EAGLS)[Footnote 32] reporting functions to detect potential misuse and/or fraud within their programs, (2) canceling accounts of departed employees in a timely manner, and (3) monitoring for increased risk of improper purchases due to cardholders with multiple accounts, as further discussed below. Given that FAA makes thousands of purchase card transactions annually, which, in fiscal year 2001, exceeded $150 million, it is essential that FAA management devote adequate attention to monitoring its purchase card program to ensure that it is properly managed and to reduce the risk of fraud, waste, or abuse. * EAGLS reports. EAGLS can generate account activity reports, which identify trends such as purchases from merchants that would not be expected to be traditional suppliers or unusually high spending patterns; dispute reports, which identify cardholders with excessive disputes that may indicate cardholder misuse or fraudulent activity; and various other exception reports that can track information such as unallowable automated teller machine transactions or cash withdrawals or charges at specific merchant category codes for businesses unrelated to FAA’s mission. Several APCs told us that they did not know that some of these essential reports existed or were not sure how to access the data to print these reports from EAGLS. As a result, they were not using them to systematically monitor cardholder activity for potential fraud or abuse. * Separated employees. We also found that accounts of cardholders who resign, retire, or otherwise leave FAA employment were not promptly closed upon their departure. Although FAA’s procedures require that the APC be notified via an employee clearance form when cardholders leave the agency, some APCs acknowledged that they did not always receive the forms or receive them timely. However, at the time of our review, only 1 of the 11 APCs[Footnote 33] actively reviewed cardholder names against monthly personnel reports to ensure that departed employees’ accounts were canceled soon after their departure. Consequently, our data mining identified five cardholders from three FAA locations whose accounts remained open a month or more after their fiscal year 2001 separation dates. Although we did not identify any associated fraudulent activity, charges continued to be made to four of the five accounts from automatic monthly billings, such as Internet service fees, or when other employees incurred charges at vendors that had the departed cardholders’ account numbers on file. FAA identified and closed three of the open accounts but was unaware of and did not close the remaining two accounts until we brought them to its attention, including one that was closed 6 months after the cardholder left the agency. * Multiple accounts. We also found that APCs were not monitoring for increased risk of improper purchases by cardholders with multiple purchase cards. During our data mining, we identified 176 cardholders who were issued from two to eight purchase cards each. According to FAA, multiple cards were issued so that the originating office could separately track expenditures against different funding allocations. However, because every transaction requires an accounting classification code to indicate the appropriation and fund that the purchase is to be charged against, there is no need for separate purchase cards to do this. In addition, the issuance of multiple cards to the same cardholder places an additional administrative burden on APCs, cardholders, and approving officials in carrying out their respective responsibilities, and increases FAA’s risk of improper purchases. As a result of our audit, APCs have begun to review and cancel the excess purchase cards issued to these cardholders and have stopped issuing multiple cards to individual cardholders. FAA officials informed us that a national purchase card program coordinator and a national organization reporting coordinator were appointed to oversee the program beginning January 6, 2003. Proper oversight at this level will be critical for ensuring that identified program weaknesses are addressed nationally and program improvements are implemented consistently. Noncompliance with Policies and Procedures Resulted in Some Improper Purchases: The lack of adequate internal controls was evident in identified violations of FAA acquisition requirements that we classified as improper purchases. These included (1) purchases that were split into two or more transactions to circumvent single purchase limits, (2) purchases that exceeded other limits established by FAA, (3) purchases from other than required vendors without the appropriate waivers, (4) unauthorized purchase actions whereby someone other than the cardholder made the purchase, and (5) withdrawals or payments to cardholders through cash advances or convenience checks. Table 1 shows the number of exceptions we identified for each category, as described further below. Table 1: Transactions Not in Compliance with Purchasing Requirements: Policy violation of purchasing requirement: Transactions associated with purchases that were split into two or more segments to avoid established single purchase limits; Number of transactions not in compliance: 997; Dollar amount of transactions not in compliance: $5,111,147. Policy violation of purchasing requirement: Purchases that exceeded limits established by FAA; Number of transactions not in compliance: 30; Dollar amount of transactions not in compliance: 214,666. Policy violation of purchasing requirement: Purchases that were not made from required vendors; Number of transactions not in compliance: 20; Dollar amount of transactions not in compliance: 35,903. Policy violation of purchasing requirement: Unauthorized purchase actions, that is, purchases by someone other than the cardholder; Number of transactions not in compliance: 12; Dollar amount of transactions not in compliance: 75,646. Policy violation of purchasing requirement: Withdrawals or payments through cash advances or convenience checks; Number of transactions not in compliance: 4; Dollar amount of transactions not in compliance: 2,462. Policy violation of purchasing requirement: Total; Number of transactions not in compliance: 1,063; Dollar amount of transactions not in compliance: $5,439,824. Source: GAO. Note: GAO’s analysis of FAA purchase card transactions and related documentation. [End of table] While the total amount of improper purchases we identified is relatively small compared to the over $150 million in annual purchase card and convenience check transactions, it demonstrates vulnerabilities from weak controls that could easily be exploited to a greater extent. The above policy violations are discussed in more detail below. * Split purchases. During our data mining and detailed tests of transactions, we found 997 split purchase transactions[Footnote 34]-- purchases that had been split into more than one transaction to stay within established single purchase limit--totaling $5.1 million. For example, a cardholder with a single purchase limit of $5,000 purchased a printer and accessories totaling $8,391. The cardholder had the vendor make three separate charges to the purchase card, on the same day, to avoid exceeding the single purchase limit. Another cardholder informed us that she was directed by her supervisor to issue multiple convenience checks to pay a vendor in order to work around the $2,500 convenience check limit, despite the fact the cardholder advised her supervisor that this was contrary to procurement policy. After the split purchases were discovered, the cardholder stated that the incident was investigated, she was counseled, and her account was subsequently closed in January 2002. However, no disciplinary action was taken against the supervisor. We noted that cardholders and approving officials generally were not disciplined when these types of policy violations occurred. We identified another 201 transactions totaling over $543,000 that we considered potential split purchase transactions, but could not confirm this because cardholders did not provide adequate documentation to enable us to fully assess the transactions. The purpose of the single purchase limit is to require that purchases above established limits be subject to additional controls to ensure that they are properly reviewed and approved before the agency obligates funds. By allowing these limits to be circumvented, FAA has less control over the obligation and expenditure of its resources. * Purchases that exceeded limits established by FAA policy. We found that several purchases exceeded FAA’s established purchase card thresholds for the procurement of services and the dollar limit for purchases made with convenience checks. When cardholders circumvent these management controls, FAA has no assurance that purchases comply with certain labor laws[Footnote 35] and that cardholders are making contractual commitments on behalf of FAA within the limits of their delegated purchasing authority. FAA’s operating procedures prohibit the use of the purchase card and convenience checks when procuring certain nonconstruction services of $2,500 or more, such as janitorial, grounds, and guard services,[Footnote 36] or when procuring certain services, such as temporary help and consulting services, regardless of the amount.[Footnote 37] During our detailed tests of transactions, we identified four transactions totaling $16,460 for nonconstruction services costing $2,500 or more. We also identified seven transactions totaling $111,648 for consulting services even though FAA prohibits using the purchase card for these types of purchases. For example, a cardholder procured consulting services for engineering, technical analysis, and program management support activities from the same vendor over a 3-month period totaling $67,000 because management had directed that these services continue while a new contract was awarded. FAA’s operating procedures also prohibit the use of the purchase card or convenience check when procuring construction services valued at $2,000 or more. FAA defines these services as the construction, alteration, or repair of buildings, structures, or other real property.[Footnote 38] During our detailed tests of transactions, we identified eight transactions totaling $35,735 that exceeded the $2,000 limit for purchasing construction services with the purchase card. These included a $5,224 purchase for the repair of wiring and replacement of lighting at an FAA cafeteria and two purchases totaling $12,684 from the same vendor on two different occasions for electrical work at an FAA facility. Our data mining also identified 11 transactions totaling $50,823 where cardholders exceeded the $2,500 convenience check limit.[Footnote 39] The most serious violation was the use of a convenience check to pay for equipment modifications totaling $18,690. FAA indicated it had previously identified this purchase as a violation of policy, notified the cardholder’s approving official, and taken steps to ensure the cardholder was reminded of convenience check policies and procedures. However, we noted that no disciplinary action was taken against the approving official who was responsible for ensuring that the purchase was made in accordance with policies and procedures. * Purchases were not made from required vendors. Cardholders made numerous purchases from other than required vendors without obtaining appropriate waivers to indicate that they were authorized to buy elsewhere.[Footnote 40] During our testing of the 333 transactions in the statistical sample, we identified 36 purchases that were required to be purchased from a mandatory source. Of the 36, 20 transactions were not purchased from the mandatory vendors and did not have the required waiver from Federal Prison Industries, Inc. (UNICOR) or any documentation that would support that a Javits-Wagner-O’Day (JWOD) Act supplier did not offer the items or that the items were currently unavailable. Based on the results of our review of these transactions, we estimate that $9 million[Footnote 41] of the related sample population of purchase card and convenience check transactions lacked the required waivers or other supporting documentation. For example, a cardholder purchased 24 office chairs totaling $15,246 from a commercial vendor without obtaining a waiver indicating that UNICOR could not meet the purchase request. In another example, a cardholder purchased a leather binder, refills, and other accessories totaling $196 from Franklin Covey, a high-end office supply store, instead of purchasing similar products from a JWOD supplier. The cardholder provided an explanation that the purchase was for business use, but provided no documentation why similar products were not procured from a JWOD supplier. During our data mining, we noted that FAA made 2,903 purchases totaling $492,643 from Franklin Covey in fiscal year 2001. While we did not review all of these individual purchases, based on our detailed testing of similar transactions, it is likely many of them should have been procured from a mandatory source, if at all. In response to our questions about such purchases, FAA’s Director of Acquisitions responded to us in a November 21, 2002, memorandum that FAA is reviewing the need to establish guidelines on what can be purchased from this vendor. * Unauthorized purchase actions made with the purchase card. During our detailed tests of transactions, we found several unauthorized transactions where noncardholders made purchases using cardholders’ accounts, increasing the risk that the card may be used to make improper purchases. FAA’s operating guidance requires that the named cardholder on the purchase card be the only one to use the card to make purchases. Allowing someone other than the cardholder to use the card is considered an unauthorized purchase action that is subject to disciplinary action. However, we found that FAA did not always comply with this requirement. Specifically, we identified 12 unauthorized purchases totaling $75,646 where someone other than the cardholder made the purchase. Seven of these unauthorized purchases, totaling $70,000, related to one cardholder’s account. According to the cardholder, her supervisor had requested her purchase card account number so that others in the office could make purchases, which included various computer and office equipment, including 20 PDAs. Because the total order exceeded the cardholder’s single purchase limit, the vendor split the order into seven different purchase transactions, which is also a violation of policy. When her monthly billing statement came, the cardholder stated that she was unable to account for some of the transactions because the purchasers did not provide her with all of the related receipts for the items purchased. Furthermore, the cardholder informed us that an additional 14 transactions totaling $79,445 that were not in the sample but were listed on her monthly billing statement were also unauthorized purchase actions made by others in her office. Because of these unauthorized uses and the related frustrations associated with attempting to reconcile her monthly billing statements, the cardholder informed us that per her request, the APC closed her account on October 27, 2002. We identified another unauthorized transaction when a cardholder was unable to provide any supporting documentation for the item in the sample, stating she had not made the purchase. The cardholder stated that she transferred from the unit that issued her the card in July 1999, but was asked to leave the active credit card with the assistant manager so that the office could continue to use it to make purchases. Because the cardholder left the issuing unit in July 1999, all purchases made to her account during fiscal year 2001, our period of review, were unauthorized purchase actions. As a result, we identified an additional 28 unauthorized purchase transactions totaling $3,595 that were charged to the cardholder’s account from October 2000 through January 2001. The APC eventually closed the cardholder’s account on January 28, 2002, approximately 2 ½ years after the cardholder had left. * Cash advances and cash payments made to cardholders. FAA’s operating guidance prohibits the use of the purchase card for cash advances and prohibits cardholders from issuing convenience checks payable to themselves. However, during our data mining we identified three cash advance transactions and one transaction where the cardholder wrote a convenience check payable to herself. For example, one cardholder used the government purchase card to obtain a $100 cash advance to pay a vendor for lawn services rendered at an FAA facility. The approval form for this transaction showed that the key authorizers and reviewers of this transaction--including the funds certification officer and the approving official--had approved the cash advance even though it was a violation of policy. In another example, a cardholder wrote a convenience check payable to herself totaling $214, in violation of policy. She purchased an item at a warehouse club that did not accept the brand of the government purchase card. Because the cardholder did not have authorization to use a convenience check at the time of purchase, she made the purchase with her personal credit card and subsequently requested and received authorization from her supervisor to be reimbursed by writing a convenience check payable to herself, even though this was a violation of policy. As described above, our review of FAA’s purchase card activities identified numerous policy violations that resulted in improper purchases. However, we generally found that disciplinary action was not taken against the cardholders or approving officials when these policy violations occurred. Enforcement of disciplinary action procedures helps prevent or deter future policy violations from occurring and assists in holding cardholders and approving officials accountable for carrying out their responsibilities when using, reviewing, and approving purchase card transactions. Poor Controls Resulted in Some Wasteful and Questionable Purchases: The inadequacies and ineffectiveness of internal controls were also evident in the number of transactions identified that we classified as wasteful--that is, were excessive in cost compared to other available alternatives and/or were for questionable government needs. Our reviews of transactions in both the statistical and nonstatistical samples identified transactions that we considered wasteful. In addition, FAA cardholders frequently did not document their determination that the purchase represented the “best value” to the government, which FAA purchasing policy defines as the solution that is most advantageous to FAA based on an evaluation of price and other factors. We also identified other transactions that we classified as questionable because there was insufficient documentation to determine what was purchased or because the charges were made to a third party billing company that did not identify the actual vendor. Lacking this documentation or identity, neither we nor other reviewers of the transactions could verify the reasonableness and appropriateness of the purchases. Table 2 indicates the number of transactions and dollar amounts in both the statistical and nonstatistical samples that we determined to be excessive in cost relative to similar products on the market, for questionable government needs, or for which we were unable to determine the reasonableness of the item due to missing invoices or because the charges were paid to third party on-line billing services. While not significant to the overall purchase card program, these transactions are indicative of what can occur when the use of the cards is not properly controlled. Because we tested only a small portion of the transactions that appeared to have a higher risk of fraud, waste, or abuse, there may be other improper, wasteful, and questionable purchases in the remaining untested transactions. Table 2: Transactions Identified as Wasteful or Questionable: Transaction category: Wasteful transactions; Number of transactions[A]: [Empty]; Dollar amount of transactions: [Empty]. Transaction category: Excessive cost; Number of transactions[A]: 46; Dollar amount of transactions: $140,131. Transaction category: Questionable government need; Number of transactions[A]: 10; Dollar amount of transactions: 3,312. Transaction category: Both excessive cost and; questionable government need; Number of transactions[A]: 58; Dollar amount of transactions: 79,159. Transaction category: Total; Number of transactions[A]: 114; Dollar amount of transactions: $222,602. Transaction category: Questionable transactions; Number of transactions[A]: [Empty]; Dollar amount of transactions: [Empty]. Transaction category: Missing invoice; Number of transactions[A]: 149; Dollar amount of transactions: 401,347. Transaction category: Third party on-line billing; Number of transactions[A]: 13; Dollar amount of transactions: 6,009. Transaction category: Total; Number of transactions[A]: 162; Dollar amount of transactions: $407,356. Source: GAO. Note: GAO’s analysis of statistical and nonstatistical transactions selected for fiscal year 2001. [A] Of the 114 transactions identified as wasteful, 9 came from the statistical sample and 105 came from the nonstatistical sample results. Of the 162 transactions identified as questionable, 18 came from the statistical sample and 144 came from the nonstatistical sample. [End of table] Wasteful Purchases: We identified 114 purchases totaling $222,602 that we determined to be wasteful because they were excessive in cost relative to available alternatives, were of questionable government need, or both. We considered them excessive in cost when compared to available alternatives that would meet the same basic needs or questionable as government expenditures because they appeared to be items that were a matter of personal preference or personal convenience, were not reasonably required as part of the usual and necessary equipment for the work the employees were engaged in, and/or did not appear to be for the principal benefit of the government. Specifically, we identified 46 purchases totaling $140,131 that we considered excessive in cost, 10 purchases totaling $3,312 for which we questioned the government need, and an additional 58 purchases totaling $79,159 that we considered both excessive in cost and for questionable government need. Such purchases included purchases of store gift cards for later use; hotel and resort charges, including room rentals and food costs for internal management meetings; award, retirement, and farewell gifts; Internet services for individual FAA employees; and purchases of PDAs and accessories. These examples are described below. * Store gift cards. We noted several purchases of store gift cards for which we question the government need. Purchases of gift cards are particularly risky because they are the equivalent of cash. Unlike purchases made with a purchase card, which appear on a monthly billing statement to be approved by an approving official and supported by receipts, purchases made with a gift card have no such subsequent audit trail. Consequently, if the gift cards are lost, stolen, or misused, there is no means for determining how they were spent. In addition, gift cards used after the end of the fiscal year in which they are purchased violate the “bona fide” needs rule under 31 U.S.C. 1502(a) (2000).[Footnote 42] For example, one cardholder purchased 10 $100 Home Depot store gift cards, totaling $1,000, that the cardholder stated were to be used to purchase tile and mini blinds for installation in the day care facility after the close of the fiscal year. However, the cardholder was only able to provide one receipt dated 3 months after the close of the fiscal year, which showed that 3 of the gift cards were used to purchase items totaling $203.49. In addition to violating the bona fide needs rule, we identified several problems with this purchase. One, the $96.51 balance due from that purchase--government funds--was refunded in cash to the person using the gift cards, which we confirmed with the vendor. However, because the purchase was made with gift cards, which do not identify the purchaser, we could not determine who received the cash back nor what happened to it. Two, among the items purchased were two pairs of cowhide gloves, which were not part of the intended purpose the cardholder stated.[Footnote 43] Three, because the purchase was made with gift cards rather than the government purchase card, the state sales tax was charged and paid even though the federal government was exempt from state sales tax. In addition to these problems, the cardholder could not show how the remaining 7 gift cards were used, whether they were spent for government purposes, when they were used, or even who used them. Another cardholder spent $775 on Wal-Mart gift cards, but similarly was unable to provide any documentation on how the cards were ultimately spent. In another example, one cardholder told us she was given verbal approval to spend a certain amount on an awards ceremony. When the award ceremony expenses totaled less than the allocated amount, the cardholder purchased a grocery store gift card for the remaining $179, which was later used to buy postage stamps for Christmas cards to send to other FAA facilities, and food and utensils for a Christmas luncheon and a retirement gathering, all of which are unallowable government expenditures. When we asked FAA for its policy on the purchase of gift cards, the Director of Acquisitions responded to us in a November 21, 2002, memorandum that FAA’s present policy is that gift cards will not be purchased for later use because such purchases are a violation of the fiscal law statute regarding bona fide need. However, unless cardholders and approving officials are aware of this policy and management adequately monitors compliance, such expenditures are likely to continue. * Conference room rentals and related food charges.[Footnote 44] We identified several purchases for the rental of hotel and resort facilities used for internal FAA meetings, conferences, and training. For example, FAA paid $2,660 for a conference room and audiovisual rentals at the Tropicana Resort and Casino in Las Vegas, with no explanation as to the reason why this location was chosen to hold an internal FAA management meeting. After we reported similar findings in our report on FAA’s Alaskan Region, the Chief Financial Officer issued a June 4, 2002, memorandum that established new spending restrictions, one of which now requires that internal FAA conferences and off-site meetings be held in federal facilities. However, this memorandum was issued after the period of our review. We also identified transactions for conference room rentals that included significant food and beverage costs, which we considered excessive and for which we questioned the government need. For example, in one case FAA spent $12,866 for food at a Hyatt Hotel for a conference, and $18,050 for food at another conference. We also noted a wasteful purchase representing a cancellation fee charge totaling $5,398 that resulted because the cardholder did not cancel FAA’s reservation for a conference room rental in time to avoid the fee. * Award, retirement, and farewell gifts. We noted several purchases for award, retirement, and farewell gifts. Although FAA policy gives managers a wide berth in determining the nature and extent of awards, we identified six purchases for award gifts for which they were unable to provide the purposes for which the recipients were being recognized. For example, we identified three purchases of Waterford crystal costing from $110 to $220 each. For these purchases, FAA could not provide the award letters or justification for the awards. Consequently, it could provide no evidence that these purchases were truly awards. We also identified two purchases for award events for which FAA was unable to provide the basis for the awards. These included a purchase of $225 for the rental of bowling lanes and shoes for 27 employees with no justification as to why the individuals were receiving the award, and $459 for 100 movie passes for “employee appreciation day” with no list of awardees or basis for the award. We also identified eleven purchases that FAA cardholders characterized as either retirement gifts or farewell gifts. However, they were unable to demonstrate that the gifts were authorized under applicable agency authority. The retirement gifts included two Waterford crystal gifts, a glass clock, and an inscribed globe, which ranged in cost from $101 to $209 each. The farewell gifts included a $329 engraved desk statue for a manager transferring to another unit within FAA. * Internet services. During our data mining, we identified 472 purchases totaling $16,894 for individual subscriptions to various Internet service providers, such as America Online, CompuServe, and EarthLink.[Footnote 45] We inquired with FAA regarding these types of purchases. In his November 21, 2002, response to us, the Director of Acquisitions indicated that these were unnecessary, stating that FAA provides Internet access for employees through eight authorized Internet access points and that employees should obtain the necessary services from one of these access points. The Director stated that FAA would work with the cardholders and FAA’s information resource management contact points and staff offices to ensure that employees do not inappropriately obtain individual subscriptions to Internet service providers. * PDAs and accessories. During our detailed testing, we identified 25 purchase transactions for 123 PDAs and/or PDA accessories totaling $66,684. For example, one of these transactions included a purchase of 30 PDAs and accessories totaling $13,189. However, no documentation was available to show how the office determined that these 30 PDAs were necessary to fulfill a valid government need, rather than for the personal preference of employees. We also noted a wide range in cost for the PDAs purchased. Specifically, the statistical and nonstatistical samples contained transactions for PDAs that ranged in cost from $100 to $558. Cardholders did not provide justification as to why the more expensive PDAs were needed, nor why there was a valid government need for these items. In addition, FAA incurred other costs to support the PDAs, such as those for PDA keyboards, carrying cases, and PDA Internet services. For example, in one instance we identified a purchase of six leather PDA accessories from the Coach store totaling $717. In addition to being excessive in cost, we question whether such items are necessary government expenses. In a June 4, 2002, memorandum prepared in response to our report on FAA’s Alaskan Region, FAA established new spending restrictions that included prohibiting the use of federal funds to purchase PDAs except where the affected associate or assistant administrator personally decides that it is vital to a person or organization successfully achieving their mission in an effective and efficient manner. We also identified numerous other individual purchases that we considered wasteful or, in some cases, abusive. Such purchases included a $299 Bose headset, which the cardholder indicated was used by her director and other senior managers during long flights; $206 for key chains and crystal hearts for training participants; and a $65 picture frame for a cardholder’s use in her office. In another example, a cardholder purchased a $3,707 Sony Vaio laptop computer because an assistant division manager saw it while on travel and asked the cardholder to buy it for him, despite the fact that other, less costly laptop computers were widely available. For example, during the same month another cardholder in the same region purchased 22 lower-end Sony Vaios for $1,330 each; a midrange Sony Vaio in the sample cost $1,700. According to the first cardholder, the model the assistant division manager wanted was new on the market and thus was only available directly from the manufacturer at that time. Part of the problem with these purchases is that cardholders often did not document their determination that the specific purchase represented the best value to the government. FAA policy requires purchasers to determine that prices are fair, reasonable, and provide the best value[Footnote 46] to FAA. Its policy states that the determination that price is fair and reasonable should be documented and the extent of the documentation depends on the complexity and dollar value of the procurement action. We examined transactions in the statistical sample to determine whether there was any evidence that cardholders considered best value in making their purchase decisions, such as any evidence that at the time of purchase the cardholder considered prices from other vendors, services provided by the vendor, quality of product versus alternatives, prior experience with a vendor, or useful life of a product. We identified 213 purchases to which the determination of best value applied.[Footnote 47] Of these, 152 purchases did not have any documentation demonstrating that cardholders considered best value before making their purchases. Based on the results of our review of transactions, we estimate that $74 million[Footnote 48] of the sampled population of purchase card and convenience check transactions lacked documentation of the best value determination. While FAA has issued some new policies to prohibit or better control certain types of expenditures, the types of wasteful purchases we identified can only be prevented through proper employee training, adequate segregation of duties, and thorough management review and enforcement. Until FAA provides adequate management oversight of its purchase card program, including more thorough, systematic monitoring of expenditures with appropriate disciplinary action when warranted, the types of wasteful and abusive purchases we identified, as well as those that may not have appeared in the sample, are likely to continue. Questionable Purchases: As discussed earlier in this report, we identified numerous transactions that were missing adequate supporting documentation to identify what was purchased and the amount. Specifically, 18 of the 333 transactions in the statistical sample[Footnote 49] and 131 of the 1,874 transactions in the nonstatistical sample lacked an invoice, credit card slip, or other sales documentation. Lacking key purchase documentation, neither approving officials nor we could determine or support what was actually purchased, how many items were purchased, the cost of the items purchased, and whether there was a legitimate government need for such items. However, based on the vendor names and explanations provided by the cardholders, we believe at least some of these items may have been determined to be improper or wasteful had the documentation been provided or available. For example, in one transaction that was missing an invoice, the cardholder stated that the purchase was for a $499 Bose Wave radio/CD player that was needed to monitor the news and weather. Table 3 illustrates some of the other transactions in the sample for which cardholders were unable to provide an invoice or other documentation to support what was purchased. Table 3: Examples of Transactions Where Invoice Documentation Was Missing: Vendor: Ashford.com (a jewelry Web site); Transaction amount: $78. Vendor: Bed, Bath, and Beyond; Transaction amount: 63. Vendor: BestBuy.com; Transaction amount: 2,440. Vendor: BJ’s Wholesale Club; Transaction amount: 251. Vendor: Home Depot; Transaction amount: 1,042. Vendor: Harbourtowne Resort; Transaction amount: 5,100. Vendor: L.L. Bean Mail Order; Transaction amount: 90. Vendor: Service Merchandise; Transaction amount: 216. Vendor: Treasure Isle Food; Transaction amount: 1,755. Vendor: Wal-Mart; Transaction amount: 332. Source: GAO. Note: GAO’s analysis of nonstatistical transactions selected for fiscal year 2001. [End of table] In addition, during our data mining, we identified 50 transactions totaling $13,450 that involved the use of third party on-line payment services to pay for cardholder purchases. We selected 30 of these transactions totaling $7,802 for further review. When using these types of services, the cardholder charges the amount of the transaction to the third party payment company. The payment company then forwards the funds to the vendor, generally because the vendor does not accept credit cards for payment. There is no additional expense to the government for using these third party payment companies. However, because the name of the third party payment company appears on the cardholder’s billing statement and not the name of the actual vendor that provided the goods or services purchased, there is no certainty that the purchase was for a bona fide government need and use. For example, one of the purchases included a transaction totaling $470 that the cardholder stated was for payment of software design services. Although the cardholder provided an invoice for the amount, there is no way to verify that the invoice belonged to the actual transaction because the merchant name on the cardholder’s billing statement was the name of the third party payment company, not the name of the vendor that purportedly supplied the software design services. In addition, the invoice date and the transaction date on the cardholder’s monthly billing statement did not match. As a result, we could not verify that the invoice supported the transaction. Furthermore, of the 30 transactions reviewed, 17 transactions involving four different third party payment companies were for purchases the cardholders claimed they did not make.[Footnote 50] Except for 2 transactions totaling $180, we noted that Bank of America subsequently credited the cardholders’ accounts because it determined that the charges were fraudulent in nature. This type of fraudulent activity demonstrates the risk that purchases made using third party payment companies may not be for valid government needs. We asked FAA for its policy on using third party payment companies. In its November 21, 2002, response to us, FAA indicated that it plans to issue guidance in the near future to emphasize that when the cardholder knows a purchase will be processed by a third party payment company, the cardholder must immediately make the approving official aware of the transaction and provide supporting documentation once the purchase is received. However, this does not resolve the difficulty of ensuring that the supporting documentation is in fact associated with the transaction, given that the merchant name on the invoice and the name on the billing statement will not match. Poor Controls Contributed to Wasted or Missing Assets: In reviewing purchases of computers and other portable assets bought with purchase cards, we found that FAA lacked adequate controls over such purchases to ensure that they were properly recorded and accounted for. Assets bought with purchase cards were not required to go through a central receiving point to help ensure that items were recorded in FAA’s property system before they were distributed to users. As a result, we identified 262 asset-related transactions totaling $4.1 million that contained one or more property items that had not been recorded in FAA’s property management system. In testing a selection of unrecorded items, we identified 238 items totaling $287,766 for which FAA could not account. Of these, 202 items were missing; FAA reported that the other 36 items had been transferred to other FAA locations or had been returned for repair and replacement, although FAA could not provide any documentation to support these claims. In addition to the items we found missing, the property management division at one FAA location identified during its physical inventory counts over 800 items totaling almost $2 million that were lost or stolen in fiscal years 2001 and 2002. Given the systemic weaknesses we identified in FAA’s property controls, the actual amount of missing or stolen equipment agencywide could be much higher. FAA’s cardholders buy a significant amount of computers and computer- related equipment with purchase cards. For example, in fiscal year 2001 FAA purchased at least $26.4 million in computers and computer-related equipment at vendors that primarily sell such items, such as Dell, Micron, and Gateway.[Footnote 51] Our Standards for Internal Control in the Federal Government requires agencies to establish physical control to secure and safeguard vulnerable assets. FAA policy requires that accountable property, items that meet specific FAA criteria and dollar thresholds, be recorded in FAA’s Personal Property In-use Management System (PPIMS) to establish accountability for these items. However, FAA did not require purchases of such property to go through a central receiving point where they could be adequately safeguarded until they were bar coded and recorded in PPIMS. Instead, purchase cardholders who bought sensitive items such as computers often took physical delivery of these items at the time of purchase or had them delivered directly to them. Consequently, FAA generally relied on the cardholders to determine whether assets met the requirements for tracking in PPIMS and to forward the appropriate information to property custodians for input. However, during our transaction review, we noted that cardholders did not appear to be knowledgeable of the different asset classifications that required input into PPIMS. For example, in selecting the statistical and nonstatistical sample transactions, we asked cardholders to provide documentation showing the item had been entered into PPIMS for all purchases of accountable property. Several cardholders responded “not applicable” to this request, even though the items they purchased met FAA’s criteria for tracking in PPIMS. Consequently, we identified 262 asset-related transactions totaling $4.1 million where one or more property items had not been recorded in FAA’s property management system. Specifically, from the statistical sample,39 asset-related transactions totaling $737,951 had not been recorded in PPIMS even though the property items had been purchased at least 1 year earlier.[Footnote 52] Based on the sample results, we estimated that $17 million[Footnote 53] of the sampled population were unrecorded in PPIMS. From the nonstatistical sample, 223 asset-related transactions totaling $3.4 million had one or more items that had not been entered into PPIMS.[Footnote 54] When an asset is not recorded in the property management system, there is no systematic means of identifying where it is located or when it is moved, transferred, or disposed of and no record of its existence when physical inventories are performed. Thus, unrecorded assets can be easily lost or stolen without detection. Given the high risk of theft or loss, we conducted an unannounced inventory to test FAA’s ability to account for its assets. We selected 81 purchases of assets totaling over $1.3 million made during fiscal year 2001 by four FAA locations. The 81 transactions were for the purchase of 692 items consisting primarily of computer-related equipment, such as personal computers, laptops, and printers, as well as certain sensitive items, such as PDAs, that are easily pilfered. All of the transactions selected contained 1 or more items that had not been recorded in PPIMS. Of the 692 items we attempted to observe, we found that FAA could not locate 238 items (34 percent) totaling $287,766 at the time of our observation. Although FAA reported that 36 of these missing items had been transferred to other FAA locations or had been returned for repair and replacement, contrary to policy FAA could not provide any documentation to support these claims. In addition to the items we found missing, we noted that at one FAA location the property management division identified 405 items totaling over $900,000 that were lost or stolen in fiscal year 2001 and another 437 items totaling over $1 million that were lost or stolen in fiscal year 2002. These lost or stolen items were primarily identified through physical inventory counts performed during those years. During our follow-up with that location’s property management division, we noted that employees and FAA units responsible for safeguarding the assets were not held accountable when items were identified as lost or stolen. This lack of disciplinary action when items were lost or stolen, combined with poor recordkeeping within those FAA units, created an environment where there was little accountability for government assets. Because lost or stolen items that were not recorded in PPIMS might never be identified as missing, the actual number of missing or stolen items at this and other FAA locations may be much higher. During our site visits and unannounced physical inventories, we also observed instances where computers were not stored in a separate and secured storage room, and as a result, employees had unlimited access to these assets. For example, during an unannounced physical inventory at one location, we observed that an unsecured common office area was being used to store computer equipment. Without enhanced physical security, FAA will continue to be at risk for further computer equipment losses. We also noted instances in which cardholders purchased varying brands of computer equipment in small quantities from different vendors at various times of the year with no documented coordination with FAA’s information technology or acquisitions unit. For example, the statistical and nonstatistical samples contained 47 transactions for 108 computers or laptops totaling over $400,000 where cardholders purchased fewer than 5 computers or laptops in a single transaction. By not coordinating such purchases, FAA could not take advantage of quantity discounts that it might have otherwise received had it combined, negotiated, and purchased similar items in large quantity with a single vendor. In addition, the wide variety of equipment purchased makes it more difficult for the information technology unit to provide user and network support and equipment maintenance. In an official response to us on November 21, 2002, FAA stated that it is developing standard policy guidance that will require equipment items over $500 to be centrally purchased to take advantage of economies of scale and to facilitate equipment standardization. However, it also needs to ensure that the purchases are needed to avoid wasted purchases. For example, one cardholder purchased 30 personal computers costing over $36,000 in November 2000. Although this particular transaction had been coordinated through the information technology unit prior to purchase, we physically observed that as of July 2002 all but 1 of these computers were still unused, sitting in their unopened boxes in a warehouse. Given how quickly computer technology advances, those computers will likely never be used by the agency. Had there been adequate central oversight, FAA could have prevented this purchase or directed the items to a unit that needed them. We noted 10 subsequent transactions for the purchase of a total of 134 personal computers made by cardholders in the same center as the cardholder that purchased the 29 unused computers. Conclusions: Although weaknesses with FAA’s purchase card program were reported as far back as 1997, FAA has not corrected the identified problems. Consequently, improper and questionable purchases continued to occur, and numerous items purchased were lost or stolen because appropriate accountability had not been established. FAA has taken the first step towards addressing some of these issues by establishing new positions and responsibilities for overseeing its purchase card program at the national level, and issuing new policies to address some of the weaknesses identified. However, correcting the problems we identified will require a thorough evaluation and strengthening of current policies and procedures, a strong commitment at all levels of the agency to carrying them out, and appropriate oversight to continually assess the effectiveness of its controls. Until this occurs, FAA will continue to be exposed to fraud, waste, abuse, and lost assets in connection with its purchase card program. Recommendations for Executive Action: We recommend that the Administrator of FAA take the following actions to strengthen internal controls and compliance in its purchase card program, decrease wasteful purchases, and improve the accountability of assets in order to reduce FAA’s vulnerability to improper and wasteful purchases. Internal Controls: With regard to improving FAA’s internal controls over purchasing, we recommend that FAA do the following. * Establish policies and procedures that segregate duties for all phases of the purchasing process when using the purchase card. No individual should be able to take all the steps needed to request, purchase, pick up, and receive goods and services purchased. Such policies should also require that responsibilities of the cardholders, approving officials, funds certification officers, property custodians, and APCs be performed by different people to ensure that management controls are not circumvented. * Develop detailed procedures that specify the type and extent of approving official review that is expected. Such procedures might include a checklist for approving officials to use in their monthly reviews of cardholders’ transactions. At a minimum, these procedures should describe the types of supporting documentation that the approving official should ensure that the cardholder has provided, such as the invoice and/or credit card receipt, certification of funds availability, documentation of best value, applicable waivers, PPIMS input forms, and written dispute forms for any disputed charges; the purchasing requirements that the approving official should review for compliance with policies and procedures, such as reviewing for split purchases, cash advances, and compliance with purchase card and convenience check spending limits and limits for construction and nonconstruction services; and a requirement that as evidence of review, the approving official sign the cardholder’s monthly billing statement. * Establish policies and procedures to limit the number of cardholders assigned to any one approving official consistent with GSA guidelines. * Follow up on transactions we identified that were missing invoice documentation to determine what was purchased and whether the items were for legitimate government needs, and take appropriate disciplinary actions as warranted. * Reiterate records retention policy for purchase card transaction files. * Establish procedures to be performed by the approving official or issuing office when a cardholder leaves that office to ensure that his or her purchase files are retained in accordance with policy. * Require refresher training for all cardholders and approving officials. Such training should cover the areas discussed in this report, such as proper segregation of duties, purchasing policies and procedures, approving official responsibilities for reviewing and approving individual purchases, and reporting potential purchase card fraud and abuse. * Establish a systematic process that each APC can use to track and monitor training for cardholders and approving officials to help ensure that they receive (1) training before being granted purchase cards or approval authority and (2) timely, periodic refresher training. * Require initial and periodic refresher training for APCs, the national purchase card coordinator, and the national organization reporting coordinator that will assist them in carrying out their purchase card program management and oversight responsibilities. This should include developing a training curriculum specific to FAA purchase card policies and procedures. * Develop a national purchase card program monitoring and oversight system that includes assigning specific responsibility for following up on the effectiveness of actions to address prior audit or management review findings, overseeing local APC activities to ensure that local policies and procedures are adequate and consistent FAA-wide, and developing and using analytical tools to evaluate overall program results. * Develop operating guidance to assist APCs in performing their monitoring responsibilities. At a minimum, the guidance should: * provide detailed procedures for conducting annual reviews of cardholder and approving official activities, including the population to use when selecting the sample, the internal controls that should be assessed to ensure that they are operating as intended, and data analysis techniques and tools to use in analyzing bank electronic data, and: * specify the monthly EAGLS and other reports that should be monitored for potential fraud, waste, and abuse. * Establish procedures to monitor and ensure purchase cards are canceled when cardholders leave FAA, are reassigned, or no longer have valid needs for the cards. * Identify cardholders with multiple purchase cards and cancel additional cards. * Establish policies and procedures that prohibit the future issuance of multiple cards to cardholders. * Establish procedures to periodically assess whether each cardholder continues to have a valid need for a purchase card and the appropriateness of the individual’s spending limits. This should include verifying that current APCs and their alternates are not purchase cardholders. Compliance with Purchasing Requirements: With regard to improving and enforcing compliance with purchasing requirements at FAA, we recommend the following. * Revoke or suspend purchasing authority of cardholders who are found to be frequently or flagrantly noncompliant with policies and procedures, such as cardholders making split purchases, cash advances, or purchases exceeding established dollar thresholds. * Exercise appropriate disciplinary action against supervisors or approving officials who direct or approve purchase transactions that are noncompliant with policies and procedures. * Clarify FAA policy regarding the type of documentation required of cardholders, in lieu of a waiver, when not using a JWOD supplier, since JWOD suppliers do not issue standard waivers. Wasteful and Questionable Purchases: With regard to purchases that may be at an excessive cost or for questionable government need, we recommend that FAA do the following. * Establish agency policies covering the allowability, justifications, and approvals required for purchasing items that should be controlled or restricted such as store gift cards and food. * Clarify AMS policy and operating guidance regarding documentation requirements for the best value determination, including types of acceptable documentation. * Establish policies and procedures to better limit and control the use of third party on-line payment companies as a payment mechanism. This might include requiring documented advance approval from the approving official to help ensure that the item is needed and that the on-line payment company is the only viable method of payment, as well as a subsequent verification to help ensure that the item or service purportedly purchased was in fact received. Recording and Safeguarding of Assets: With regard to improving FAA’s controls over the purchasing, recording, and safeguarding of assets, we recommend the following. * Require centralized receiving and acceptance of accountable assets and sensitive property items purchased. * Establish required time frames for completing and submitting property input forms, and for recording accountable assets in the property management system. * Follow up on property items that FAA officials were unable to locate at the time of our unannounced inventory to determine whether the items were subsequently located and entered into FAA’s property management system or whether the items were in fact lost or stolen, and take appropriate disciplinary actions as warranted. * Establish procedures to ensure that appropriate disciplinary action is taken against cardholders, approving officials, and/or property custodians as applicable who are unable to account for purchased assets under their responsibility in order to improve accountability for these assets. * Improve physical security over the storage of computer-related equipment, such as placing these items in locked storage until they can be entered into the property management system and assigned to users. * Require purchases of certain assets, such as computer equipment, to be coordinated centrally to take advantage of economies of scale, standardize types of equipment purchased, and to better ensure bona fide government need for each purchase. Agency Comments and Our Evaluation: We received written comments from DOT on a draft of this report, which are reprinted in appendix I. DOT expressed its commitment to the principles of the program and said that FAA has taken or plans to take a number of actions to ensure that the issues identified in our report are effectively addressed and appropriately enforced. For example, FAA established a (1) National Purchase Card Coordinator position to provide centralized program monitoring and (2) National Organization Reporting Coordinator position to enhance operating guidance and assist agency program coordinators in improving guidance for monitoring the purchase card program. In addition, FAA has revised its operating guidance to assist in strengthening controls over the purchase card program. Examples include clarifying segregation of duties requirements, specifying the type and extent of the approving official review, and developing standard policy guidance requiring that high cost or high quantity items be centrally purchased to take advantage of economies of scale. Implementation of these and other recommendations in our report should greatly reduce FAA’s vulnerability to improper, wasteful, and questionable purchases and missing assets. : As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 10 days after its date. At that time, we will send copies of this report to the Ranking Democratic Member, House Committee on Transportation and Infrastructure; the Secretary of Transportation; and the FAA Administrator. Copies will also be made available to others upon request. In addition, the report will be available at no charge on the GAO Web site at http://www.gao.gov. If you have any questions about this report, please contact me at (202) 512-9508 or calboml@gao.gov; Doreen Eng, Assistant Director, at (206) 287-4858 or engd@gao.gov; or Steven Haughton, Assistant Director, at (202) 512-5999 or haughtons@gao.gov. Major contributors to this report are acknowledged in appendix II. Sincerely yours, Linda M. Calbom Director, Financial Management and Assurance: Signed by Linda M. Calbom: [End of section] Appendixes: Appendix I: Comments from the Department of Transportation: U.S. Department of Transportation Assistant Secretary for Administration 400 Seventh St., S.W. Washington, D.C. 20590: MAR 11 2003: Ms. Linda Calbom: Director, Financial Management and Assurance, U.S. General Accounting Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Ms. Calbom: Thank you for the opportunity to comment on the General Accounting Office (GAO) draft report about the Federal Aviation Administration’s (FAA) purchase card program. Based on input from internal reviews, and previous work by the Office of Inspector General (OIG) and GAO, FAA is tightening up program controls and improving program operation. Our objective is to ensure that all use of the purchase card is appropriate, comports with the purchase card program requirements, and fulfills the purchase card program objective of improved economy. To fully appreciate the complexity of the FAA purchase card program, it is important to keep an overall perspective of its scope and extent in mind. FAA has more than 50,000 employees spread over the 50 United States and abroad, in headquarters, 9 regions and 2 centers. Individual offices range in size from thousands in headquarters to some as small as two to three people. Cumulatively, during FY-2001, the year examined in the GAO draft report, FAA made over 364,000 purchase card related transactions valued at $151 million. Extensive Action Taken and Underway To Ensure Effective Controls over the Purchase Card Program: We cannot overemphasize FAA’s commitment to running a sound purchase card program in compliance with all applicable requirements. FAA has numerous actions completed or underway intended to ensure the program functions effectively and within the parameters established by law and regulation. In fact, FAA has already completed or taken action on recommendations from previous OIG reports, GAO’s recent report on one of FAA’s regional operations, and the recommendations included in this draft. For example: * FAA established a National purchase card coordinator position to provide National program monitoring and oversight. In addition, a National Organization Reporting Coordinator has been established to enhance operating guidance and assist agency program coordinators in improving guidance for monitoring the purchase card program. * FAA issued guidance on June 4, 2002, restricting the use of Federal funds for purchasing or renting flat panel computer display monitors, plasma displays, or personal digital assistants. * FAA revised its Federal Aviation Administration Acquisition System Toolset (FAST) to strengthen controls over the FAA purchase card program. These actions included: * clarifying segregation of duty requirements for the purchasing process to better ensure objective oversight of purchases; * providing detailed procedures specifying the type and extent of approving official review that is expected for the purchase card; * clarifying requirements and procedures for purchase card record retention; * defining refresher training requirements for both cardholders and approving officials; * developing standard policy guidance requiring that any high-cost, high-quantity items such as computer equipment and handheld radios, be centrally purchased within a line-of-business, center, or headquarters to take advantage of economies of scale; and * establishing procedures to periodically assess whether each cardholder continues to have a valid need for a purchase card. Overall, we appreciate GAO’s efforts to help us ensure that the FAA’s purchase card program functions appropriately and effectively. We maintain that the vast preponderance of the 364,000 annual transactions are appropriate, and conducted by conscientious individuals, working within the program’s guidelines, to fulfill its intent of increasing efficiency and reducing costs for the taxpayer. At the same time, we recognize the potential for further improvement, and are working hard to ensure that all transactions fulfill every program requirement. If you have any questions, please contact Martin Gertel of my staff on (202) 366-5145. Sincerely, Signed for Vincent T. Taylor [End of section] Appendix II: Staff Acknowledgments: Acknowledgments: Staff members who made key contributions to this report include Brooks Bare, Beverly Burke, Sharon Byrd, Anh Dang, Christine Fant, Angela Fernandez, Richard Kusman, Carla Lewis, and Russell Rowe. (190043): : FOOTNOTES [1] U.S. Department of Transportation Office of Inspector General, Department of Transportation Use of Government Credit Cards, FI-2001- 095 (Washington, D.C.: Sept. 24, 2001). [2] Operating administrations are the agencies within DOT such as the U.S. Coast Guard, the Federal Aviation Administration, and the Federal Highway Administration. [3] U.S. General Accounting Office, FAA Alaska: Weak Controls Resulted in Improper and Wasteful Purchases, GAO-02-606 (Washington, D.C.: May 30, 2002). [4] Convenience checks issued are charged against the cardholder’s purchase card account and are used when the merchant does not accept credit cards. [5] Of these transactions, 12 were identified during our detailed sampling, and 42 additional transactions were identified by two of the cardholders who had unauthorized purchases in our detailed sample. [6] The government also uses commercial credit cards for government- related travel expenditures (travel cards) and for expenditures related to the maintenance and operation of government-owned vehicles (fleet cards). Travel and fleet cards are not covered within the scope of this report. [7] References to FAA policies in this report refer to policies established in AMS, the Toolset, or other FAA orders. [8] FAA’s organization consists of nine geographical regions, two major centers, and its headquarters office. [9] FAA Order 4650.21C, Management and Control of In-Use Personal Property, defines accountable property as a term used to identify government property that is required to be recorded in a formal personal property accounting system and controlled by an identification system and supporting records from acquisition through disposal. The type of asset and its cost determine whether it is considered accountable property. For example, mandatory sensitive items, such as photographic and automated data processing equipment costing $500 and above, and all items $2,500 and above are required to be recorded in FAA’s property management system. [10] FI-2001-095. [11] U.S. Department of Transportation Office of Inspector General, Government Credit Card Program Departmentwide, MA-1998-004 (Washington, D.C.: Nov. 4, 1997). [12] GAO-02-606. [13] We excluded FAA’s Alaskan Region from the scope of our review due to our ongoing work at that region that included a review of purchase card controls and selected purchase card transactions (GAO-02-606). FAA’s other regions are the Central, Eastern, Great Lakes, New England, Northwest Mountain, Southern, Southwest, and Western Pacific regions. The two centers are the Michael Monroney Aeronautical Center and the William J. Hughes Technical Center. FAA headquarters consists of the Washington, D.C., metropolitan area. [14] U.S. General Accounting Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 2000). [15] U.S. General Accounting Office, Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). [16] U.S. General Accounting Office, Guide for Evaluating and Testing Controls Over Sensitive Payments, GAO/AFMD-8.1.2 (Washington, D.C.: May 1993). [17] U.S. General Accounting Office, Strategies to Manage Improper Payments: Learning From Public and Private Sector Organizations, GAO- 02-69G (Washington, D.C.: October 2001). [18] Data mining applies a search process to a data set, analyzing for trends, relationships, and interesting associations. For instance, it can be used to efficiently query transaction data for characteristics that may indicate potentially improper activity. [19] The sample population consisted of purchase card charges totaling $148.3 million. This excludes adjustments for returned items and reversals of disputed charges, as well as Alaskan Region transactions since this region was not included in the scope of our audit. [20] Sensitive property items are especially susceptible to theft, loss, or conversion to personal use. [21] We are 95 percent confident that the total dollar value of transactions that lacked adequate segregation of duties was between $36 million and $52 million. [22] We are 95 percent confident that the total dollar value of transactions that lacked evidence of approving official review was between $20 million and $34 million. [23] The remaining 89 transactions provided no evidence of supervisory review. [24] The name of the second establishment was abbreviated on the bank statement, making it less obvious where the charges were made. [25] The remaining 1,513 approving officials were responsible for 10 or fewer cardholders. [26] We are 95 percent confident that the total dollar value of transactions that lacked key supporting documentation was between $3 million and $13 million. [27] This category also included several transactions in which FAA provided purchase documentation, but the purchase amount on the vendor’s invoice, credit card slip, or other store receipt did not agree to the amount included on the cardholder’s monthly statement and the cardholder was unable to reconcile these two amounts. [28] We are 95 percent confident that the total dollar value of transactions that lacked a written certification that adequate funds were available was between $75 million and $93 million. [29] MA-1998-004. [30] FI-2001-095. [31] GAO-02-606. [32] EAGLS is a Web-based system designed to help APCs perform administrative and accounting tasks and analyze program activities on- line. [33] Our finding only relates to 11 of 12 APCs because the scope of our review excluded the Alaskan Region. [34] Using data mining, we identified instances where one cardholder made multiple purchases from the same vendor on the same day that, in total, exceeded the cardholder’s established single purchase limit. We then followed up with the APCs and cardholders and, based on the documentation and responses provided, determined whether split purchases had been made. [35] FAA must comply with the Service Contract Act of 1965, as amended; the applicable provisions of the Fair Labor Standards Act of 1938, as amended; and related Secretary of Labor regulations and instructions. These laws and regulations govern various labor standards for construction and nonconstruction services. [36] FAA exempts the following types of services from this requirement: maintenance, calibration, or repair of automated data processing equipment, scientific equipment and medical apparatus, and office or business machines. [37] FAA prohibits the use of the purchase card or convenience checks for certain types of services, including advisory and assistance services. It defines advisory and assistance services as “those services that are provided by nongovernmental sources that support or improve agency policy development, decision-making, management, and administration, or support or improve the operation of management systems. Advisory and assistance services provide outside points of view from individuals with special skills or knowledge from industry, universities or research foundations. Examples include studies, analyses, and evaluations, management and professional support including consultants, experts and advisors.” [38] FAA specifies that this definition includes but is not limited to improvements of all types, such as painting, fencing, and carpet installation at air traffic control facilities, communication towers, radar facilities, and office facilities. [39] Unlike purchase card transactions, there is no authorization process at the point of sale for convenience checks. However, agencies may elect to have a dollar limit imprinted on the check, as FAA has done. [40] FAA policy requires that purchasers acquire certain products and services from designated mandatory sources, including JWOD Act suppliers and UNICOR. FAA purchasers are permitted to purchase from other sources only after a mandatory source provides a waiver indicating that it cannot provide the requested items. Although FAA’s procurement guidance requires that waivers be obtained from both JWOD and UNICOR, we found that JWOD suppliers generally do not issue waivers. According to the Director of Customer Service for the JWOD program, it is not normal practice to issue a waiver for items that are not currently available or items that it does not stock. Waivers are rarely issued, and if a waiver were granted to an agency, it would most likely be in the form of an E-mail. As a result, we accepted any documentation that would support that a JWOD supplier did not offer the items or that the items were currently unavailable. [41] We are 95 percent confident that the total dollar value of transactions that lacked the required waivers or other supporting documentation was between $8 million and $10 million. [42] Simply stated, the bona fide needs rule stands for the proposition that a fixed period appropriation may not be used to purchase a future- year need after the expiration of the appropriation’s period of availability for incurring obligations. [43] The bulk of the purchase was for a line item on the receipt that only showed a customer agreement number. We attempted to verify what was purchased with the vendor, but due to the age of the receipt, we were unable to obtain the detailed information by the time of our report. [44] Due to a lack of documentation and explanation for these transactions, we were unable to determine whether any of these charges were also improper purchases. [45] Only 7 of these transactions were selected in the nonstatistical or statistical samples and were thus included in the totals shown in table 2. The remainder was identified by conducting a query on the database for Internet service providers such as those listed. [46] FAA policy defines best value as a term used during the procurement source selection to describe the solution that is most advantageous to FAA, based on the evaluation of price and other factors specified by FAA. [47] Not all purchases in our 333-item selection were subject to the determination of best value. For example, purchases from required sources and purchases made through a single source selection process are not subject to the determination of best value requirement. [48] We are 95 percent confident that the total dollar value of transactions that lacked documentation of the best value determination was between $65 million and $84 million. [49] We estimate that $8 million of the total fiscal year 2001 purchase card and convenience check transactions lacked key supporting documentation. We are 95 percent confident that the total dollar value of transactions that lacked key supporting documentation was between $3 million and $13 million. [50] For the remaining 13 transactions, we were unable to determine whether the purchase was for a bona fide government need or use. Therefore, we included these transactions in table 2 of this report. [51] Because FAA also purchased computers and related equipment from vendors that sold computers and noncomputer-related items, we could not determine the total amount of such equipment FAA purchased. [52] We identified 92 asset-related transactions in the statistical sample. Of the 92, 39 had not been recorded in PPIMS. [53] We are 95 percent confident that the total dollar value of transactions that were unrecorded in PPIMS was between $14 million and $19 million. [54] We identified 355 asset-related transactions in the nonstatistical sample. Of the 355, 223 (63 percent) had not been recorded in PPIMS. GAO’s Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO’s Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select “Subscribe to daily E-mail alert for newly released products” under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: