Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: August 30, 2002

TO: Fred S. Selby, Director, Division of Finance; and Arleas Upton Kea, Director, Division of Administration

FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits

SUBJECT: FDIC Travel Card Program (Audit Report Number 02-030)

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has completed an audit of the FDIC’s travel card program. In May 2000, we issued another audit report regarding the FDIC’s travel card program. (Note: FDIC OIG Audit Report No. 00-015, Audit of the Corporation’s Procurement and Travel Card Programs, dated May 24, 2000.) Our May 2000 report concluded that the Bank of America was not providing timely, accurate, and usable card activity data, and the FDIC was quickly reinstating charge card privileges to employees whose cards had been cancelled due to delinquency or misuse. Subsequently, the Corporation took action to address these concerns. In September 2001, we received a specific request from Senator Charles E. Grassley, Ranking Member, U.S. Senate Committee on Finance, regarding the FDIC’s use of government charge cards. The objective of this current audit was to determine whether the FDIC had implemented effective internal control over its travel card program. Appendix I provides details of our scope and methodology. (Note: The five standards for internal control in the federal government as prescribed by the U.S. General Accounting Office (GAO) in Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999) are: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communications, and (5) monitoring. These standards provide a general framework. In implementing these standards, management is responsible for developing the detailed policies, procedures, and practices to fit their agency’s operations and to ensure that they are built into and an integral part of operations.)

BACKGROUND

Through the FDIC’s travel card program, the Corporation issues Bank of America charge cards to FDIC travelers primarily to reduce travel administration costs to the agency, ensure proof of eligibility for travelers to obtain government rates, and eliminate travelers’ loss of personal credit capacity. In 1983, the government implemented the travel card program for federal employees. The FDIC’s participation in the travel card program dates back to 1990 and was adopted in large part because the FDIC realized operational cost efficiencies. For example, the FDIC determined that the cost of reimbursing travelers’ Automated Teller Machine (ATM) fees would be less than the cost of funds associated with the Corporation’s prior policy of advancing each traveler $1,500. FDIC Circular 2500.3, FDIC-Sponsored Government Travel Card Program, dated June 14, 2001, gives the FDIC Division of Finance (DOF), Employees Services Section (ESS), responsibility to oversee employees’ charge card use. ESS is responsible for the following:

• Reviewing travelers’ applications before card issuance.
  
  
• Initiating non-disciplinary actions (i.e., card cancellation) for using the card for personal business, or for confirmed unexcused failures to make timely payments.
  
  
• Contract/Task Order oversight management.
  
  
• Reviewing anomaly reports designed to show: (1) incorrect social security numbers, (2) terminated employees with active cards, and (3) charge and/or ATM activity when there is no corresponding official travel. ESS investigates all entries on such reports and takes corrective action when necessary.

Circular 2500.3 also provides that the Division of Administration’s Labor Employee Relations Section determines possible counseling or disciplinary action from ESS and division/office referrals. Disciplinary actions can be as severe as removal from employment.

Official travelers must use the card only for official travel-related services, pay monthly bills in full by the billing statement due dates, and comply with FDIC travel policies regarding the travel card. (Note: An employee may use the travel card to charge expenses for official travel authorized by the FDIC as outlined in the FDIC’s GTR. Official travel expenses are generally defined as those that will be reimbursed by the FDIC (e.g., transportation and lodging, meals, vehicle rentals, etc.). FDIC Circular 2510.4, the GTR, documents official travel expenses that will be reimbursed by FDIC.) The Bank of America administers FDIC travelers’ travel cards and provides monthly travel card account data and annual travel card program summaries through its contract with the FDIC. ESS and FDIC administrative officers receive monthly reports showing statement activity and delinquency information for individual traveler accounts. Travelers receive monthly account statements by mail and may also access their accounts electronically through Bank of America’s online account management system, Electronic Account Government Ledger System. The FDIC’s ESS reviews the monthly Bank of America information to ensure that FDIC travelers are complying with travel card policy guidance in FDIC Circular 2500.3. The Bank of America also cancels card privileges if travelers’ balances reach specified delinquent statuses.

The FDIC contract with the Bank of America is governed by the overall General Services Administration (GSA) SmartPay Master Contract. Under the terms of the SmartPay Master Contract, the government accepts no liability for charges made against individually billed accounts. We make further reference to the Bank of America’s contractual obligation to cover defaults in our Scope and Methodology section, Appendix I.

As of May 2002, there were 5,444 open FDIC employee travel card accounts. During calendar year 2001 and the period January through May 2002, FDIC travelers charged approximately $19.3 million and $10.7 million, respectively. Figure 1 below shows the level of travel card use by FDIC division or office and Figure 2 shows the amount of travel card purchases by category.

Figure 1: Travel Card Use by FDIC Division

[This image appears in the non-508-compliant version of the audit report.]

Text description of figure 1: FDIC divisions used travel cards for the calendar year 2001 as follows: Supervision, $10.5 million; Compliance, $2.2 million; Resolutions, $2.0 million; Inspector General, $0.9 million; Legal, $0.9 million; Administration, $0.8 million; Information Resources, $0.5 million; Finance, $0.5 million; and Other, $0.6 million. FDIC divisions used travel cards for the period of January through May 2002 as follows: Supervision, $4.7 million; Compliance, $1.0 million; Resolutions, $2.0 million; Inspector General, $0.5 million; Legal, $0.6 million; Administration, $0.5 million; Information Resources, $0.4 million; Finance, $0.7 million; and Other, $0.4 million.

Figure 2: FDIC Travel Card Use by Purchase Categories

[This image appears in the non-508-compliant version of the audit report.]

Text description of figure 2: FDIC travel card use by purchase categories for the calendar year 2001 is as follows: Airfare, $7.1 million; Hotels, $5.1 million; Cash Withdrawals, $2.0 million; Motels/Lodges, $2.0 million; Rental Cars, $0.6 million; Restaurants, $0.2 million; Automobile Fuel, $0.2 million; and Other, $0.6 million. FDIC travel card use by purchase categories for the period of January through May 2002 is as follows: Airfare, $4.1 million; Hotels, $3.1 million; Cash Withdrawals, $1.0 million; Motels/Lodges, $0.9 million; Rental Cars, $0.4 million; Restaurants, $0.1 million; Automobile Fuel, $0.1 million; and Other, $0.3 million.

RESULTS OF AUDIT

In line with the GAO’s standards for internal control, the Corporation has taken necessary steps to implement effective internal control over its travel card program by (1) fostering an environment for appropriate use of travel cards; (2) identifying risks associated with travel card use; (3) establishing policies, procedures, and approval processes for travel card use; (4) coordinating/communicating with the Bank of America and related parties; and (5) monitoring and overseeing the effectiveness of its travel card program. The FDIC’s policies and its monitoring activities, along with Bank of America’s contractual travel card restrictions, serve to mitigate the risk of travel card abuses and potential damage to the public’s confidence in the Corporation as financial institution supervisor and insurer. Effective FDIC internal control is in place to monitor charge card activity, use of ATMs, and timeliness of payments. The FDIC has established a $15,000 credit ceiling on each traveler’s account. Bank of America monitors this credit limit and maintains its own oversight and restrictions on delinquent balances and ATM activity. Both the FDIC’s and Bank of America’s internal control activities help the FDIC effectively manage the program.

CONTROL OVER THE TRAVEL CARD PROGRAM

The following discussion presents each GAO internal control standard and the corresponding FDIC or Bank of America travel card program activities related to those control standards.

Control Environment

According to the GAO standards, management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. The FDIC’s control environment includes a formal policy, Circular 2500.3, FDIC-Sponsored Government Travel Card Program, which establishes areas of accountability and informs employees of their travel card responsibilities and the corporate-initiated oversight. That environment is further fostered by FDIC internal review activities, including OIG audits and the Office of Internal Control Management’s (OICM) oversight. (Note: OICM is the corporate oversight manager for internal controls and risk management. OICM seeks to ensure that the FDIC operates within an environment conducive to strong internal control and works in partnership with all FDIC divisions and offices to help them identify, evaluate, monitor, and manage their risks.)

In addition, GAO indicates that integrity, ethical values maintained and demonstrated by management and staff, management’s commitment to competence, and good human capital policies all contribute to a positive control environment. In February 2000, the FDIC’s travel card average delinquency rate (all amounts more than 60 days delinquent as a percentage of total amount outstanding on individually billed accounts in a billing cycle) was approximately .75 percent. ESS received compliments from the Bank of America for administering a well-run program as compared to other agencies. For calendar 2001, the FDIC’s average 60-day delinquency rate improved to less than .05 percent. To put that in context, Bank of America’s data shows between a 7- to 10-percent and a 2- to 3-percent delinquency rate for government travel card and commercial charge card calendar year 2001 activity, respectively. For its exceptionally low 2001 delinquency rate, the FDIC received written commendation from Bank of America recognizing the FDIC as a "shining example of the benefits that effective program management can have on a travel program." The positive trend in delinquencies and the agency’s good standing with Bank of America reflect well on the FDIC’s control environment.

Risk Assessment

GAO directs agencies to provide for an assessment of the risks the agency faces from both external and internal sources. According to GAO, risk assessment involves management’s comprehensive identification of risks associated with interactions between the entity and other parties as well as internal factors at both the entity-wide and activity level. Once an entity identifies its risks, further analysis should include estimating each risk’s significance, assessing the likelihood of its occurrence, and deciding how to manage the risk through appropriate actions.

Assessing and managing the risks associated with the FDIC’s Travel Card Program are DOF’s responsibility. Although the FDIC did not complete a formal risk assessment in line with GAO’s description, DOF performs ongoing informal risk assessments to identify travel card program potential control weaknesses. For instance, to address the potential misuse related to retail purchases, the FDIC initiated automated blocking/prohibition of vendor codes during 2001 to prevent non-travel-related purchases with the card. The resulting restricted use of the travel cards prevents travelers from making certain apparent non-travel-related acquisitions, such as jewelry, clothing apparel, building materials, etc. This control eliminated much of the earlier years’ inappropriate travel card activity that resulted from employees mistaking the travel card for another personal charge card and abusing the card unintentionally.

During 2001, ESS also began reviewing ATM activity involving 10 or more withdrawals in any monthly cycle to assess whether cash withdrawals are reasonable under the employee’s travel-related assignments. ESS documented these procedures in a written summary of oversight actions used to ensure proper travel card use. Further, Circular 2500.3, FDIC-Sponsored Government Travel Card Program, presents the risks associated with the travel card program, describes the FDIC’s decisions on how to manage that risk, and defines what actions are to be taken to do so. Circular 2500.3 summarizes DOF’s oversight tasks and enables the FDIC to meet GAO’s basic criteria that agencies establish clear, consistent agency objectives and an analysis of relevant risks associated with achieving those objectives.

Among inherent charge-card program risks, Circular 2500.3 specifies the FDIC’s greatest risk as the danger of tarnishing the agency’s reputation for professionalism and adherence to the highest ethical standards. The loss of credibility through non-compliance with FDIC’s internal standards, the proper usage of travel cards being one measurement of such internal compliance, could cost the FDIC its ability to maintain public confidence as an oversight authority.

The FDIC has designated the ESS to maintain ongoing assessments of the risks associated with the Travel Card Program. Among other activities, ESS outlined the necessary tasks to maintain assurance that risky charge card activities are identified routinely and appropriate action is taken timely. Further, as any problem areas surface through travel card program mishaps, ESS performs an ongoing overall analysis of the travel card program, including identifying program risks and developing internal control actions to prevent the risks from becoming significant noncompliance issues. For instance, ESS oversees initial charge card approvals/issuance; instructs the Bank of America as to which vendor codes should be blocked from use; reviews the Bank of America’s monthly activity reports for payments, card abuses, and anomalies; and initiates card cancellation actions, when necessary. The specific oversight procedures resulting from ESS’s analyses fall under the GAO definition of Control Activities, the next major element of GAO’s Internal Control Standards.

Control Activities

According to GAO, Control Activities help ensure that management’s directives are carried out through adopting effective and efficient means of accomplishing an agency’s control objectives. The FDIC’s Control Activities include the policy and procedural guidance in Circular 2500.3, which provides policies and procedures for the distribution and use of the FDIC-sponsored government travel card and for internal ESS program oversight. The following list summarizes the FDIC’s Control Activities along with the applicable portion of the GAO Internal Control Standards, in parentheses, related to each activity:

1. Supervisory approval for card issuance. (Card authorization procedures are critical to proper transaction execution.)
   
   
2. Retail charges reviews/blocked transaction codes. (Restricting card use provides management over human resources behavior and ensures the integrity of travel card transactions.)
   
   
3. Delinquent accounts monitored/cards cancelled if necessary. (Timely recording of transactions and events is essential to a good control environment.)
   
   
4. Monitoring of frequent ATM transactions. Through its contract with Bank of America, FDIC employees are limited to ATM withdrawals of $500 total per week. The FDIC also identifies travelers making more than 10 ATM withdrawals in any month to assess the need for employees’ frequent ATM activity. (Frequent monitoring and followup on ATM activity detects potential misuse timely, ensures that employees behave responsibly, and ensures that the FDIC communicates consequences for variant behavior.)
   
   
5. Review for travel card use unaccompanied by official travel. (Identifying non-travel use of the travel cards, through matching travel card use with employee travel vouchers, is yet another measure of ensuring responsible card usage and provides the FDIC assurance of proper execution of card transactions.)
   
   
6. Pre-exit clearance process, including card cancellation/collection. Employees leaving FDIC employment must go through the FDIC’s pre-exit clearance process, administered by the Division of Administration (DOA). (DOA’s oversight provides segregation of duties between travel card administration and restricting card ownership to the FDIC employees. By closing departing employees’ accounts and physically collecting departing employees’ travel cards, the FDIC ensures that transactions remain authorized only to current employees.)
   
   
7. A $15,000 credit limit per card. The FDIC’s primary risk concern is the potential loss of public confidence in the FDIC and its mission, along with the risk that FDIC employees do not maintain the highest ethical standards. (By limiting cardholders to an established credit ceiling, the FDIC restricts the potential for gross abuse of card privileges. This restriction minimizes the potential loss to the Bank of America and possible embarrassment to the Corporation from an FDIC employee behaving irresponsibly with authorized credit.)
   
   

Information and Communications

GAO’s Internal Control Standards provide that information should be recorded and communicated to management and to others within the entity who need it. Communications should be in a form and within a timeframe that enables them to carry out their internal control and other responsibilities. GAO also describes effective communication of information as flowing down, across, and up the organization. Stakeholders, such as the Bank of America, having a significant impact on the agency achieving its goals should be included within established communications networks. The FDIC travel card program Information and Communications functions involve the Bank of America, DOF/ESS, FDIC offices/divisions, and FDIC employees.

The Bank of America is the central information/communications body within the FDIC’s Travel Card Program. The Bank of America has ongoing communications with vendors, FDIC employees, and FDIC management. For example, the Bank of America provides DOF/ESS and FDIC employees with statements of travel card transactions with vendors. DOF/ESS uses the Bank of America data to monitor FDIC employee travel card usage. Appendix II of our report provides a chart that shows how Travel Card Program information flows from and to the parties sponsoring and using official travel cards. The chart illustrates that the FDIC’s program provides, in GAO’s language, "useful, reliable, and continuous recording and communication of information." Further, the chart identifies the separation of duties among affected groups, a fundamental premise of good internal control.

Monitoring

Per GAO, internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. Ideally, monitoring should be ongoing and done in the course of normal operations. Monitoring includes policies and procedures, audits and other reviews, and prompt resolutions of findings.

The FDIC has continuous oversight of its travel card program through activities in three FDIC Offices/Divisions. The Division of Finance administers the program, and part of its administrative task is to monitor travelers’ use of the cards. The Bank of America provides monthly travel card account data and annual travel card program summaries to the FDIC’s ESS. ESS then reviews the periodic Bank of America information to ensure that FDIC travelers are complying with travel card policy guidance issued by the FDIC. In addition, the OIG conducts audits of the Travel Card Program, as part of the OIG’s ongoing audits of FDIC’s operations. The OIG issued its most recent audit report of the program in May 2000 (see footnote 1 to our report). In that report, the OIG concluded that major travel card program concerns at that time involved Bank of America not reporting activity data timely and FDIC reissuing temporarily canceled cards prematurely. The OIG recommended corrective actions for both conditions and subsequently determined that DOF implemented the recommended corrective actions for both conditions.

Also, OICM conducts periodic independent reviews of the internal control structure over the Travel Card Program. Like the previous OIG audit effort, OICM’s latest review was also performed during calendar year 2000. In February 2000, OICM noted that internal and external systems problems at the Bank of America resulted in ESS’s inability to generate reports during 1999. OICM also noted that ESS expected reports to start being distributed on a regular basis and that regular distribution and followup represent a good control point in the travel card program. ESS did begin receiving those reports in early 2000. OICM did not have any recommendations to enhance the program at the time of its February 2000 review.

SCOPE AND METHODOLOGY

Our audit objective was to determine whether the FDIC has implemented effective internal control over its travel card program. The FDIC’s DOF has been monitoring the corporate travel card program since 1993. Our audit scope covered calendar year 2001 and the period from January through May 2002. Our audit results were based on audit tests of the FDIC’s accounting records, internal management reports, and interviews with FDIC and Bank of America officials. GAO’s Internal Control Standards were used to conclude as to the adequacy of FDIC control activities.

Based on our risk assessment, we determined that the following control activities were key to reducing the risk of improper card usage:

1. Retail Charges Reviews/Blocked Transaction Codes
2. Monitoring of Frequent Automated Teller Machine (ATM) Transactions
3. Pre-exit Clearance Process Card Cancellation/Collection

Accordingly, we focused our testing on the above three control activities. In the testing process, however, our testing procedures included reviews of additional related control activities having similar safeguarding mechanisms to the three control activities selected. Our comments below indicate when and how interrelationships among control activities became part of our testing.

• Retail Charges Reviews/Blocked Transaction Codes. Our transaction universe included the blocked transactions for the first 5 months of 2002. We selected all transactions exceeding $500 through database queries and verified that DOF/ESS had satisfactorily detected the potential card abuse and resolved the issues per the policy and guidance in Circular 2500.3. There were 12 transactions exceeding $500 during January through May 2002. ESS had appropriately identified all 12 as transactions for followup and had taken necessary actions to resolve how the retail charges arose. ESS also administered warnings in instances where the transactions involved first-time erroneous card usage. There were no abuses serious enough to warrant card cancellations among the 12 items we reviewed.

  The FDIC’s control environment over travel card retail charges is enhanced by both FDIC and Bank of America control activities other than the blocking and monitoring procedures tested. Several of these additional controls are:

  • FDIC travelers have a $15,000 credit limit ceiling, thus limiting the potential for intentional card abuse and nonpayment.
  • ESS reviews delinquencies monthly, thereby maintaining an ongoing awareness of travelers’ payment actions.
  • The Bank of America takes ultimate responsibility for unpaid amounts. The Bank of America, not the FDIC, stands to lose on travel card amounts deemed not collectible. For purposes of ensuring that travelers will be able to meet charge card obligations, it behooves the Bank of America to limit travel card use to legitimate travel-related and employer-reimbursable activity.
    
    
• Monitoring of Frequent ATM Transactions. We selected the universe of January through May 2002 travel card ATM use to identify frequent ATM withdrawals. DOF/ESS’s monitoring of frequent ATM withdrawals triggers a frequent use when 10 or more ATM withdrawals occur within a given month. We identified the instances in which there were 10 or more ATM withdrawals totaling $500 or more in a given month through database queries and reviewed DOF/ESS’s resolution of those travelers’ ATM use. There were 32 instances during the January through May 2002 period in which an individual FDIC traveler had 10 or more ATM transactions in a given monthly period. ESS properly identified each instance through automated queries and matched the ATM transaction dates with travel voucher itineraries for reasonableness. There were no exceptions requiring warnings or disciplinary actions.

  The Bank of America’s automated restriction on ATM usage serves as a corresponding control to ESS’s ATM frequent-use review. At the FDIC’s option, the Bank of America limits ATM use on daily, weekly, and monthly bases. During our audit scope, FDIC travelers were restricted to $250 ATM daily withdrawals and $500 per week. Under those conditions, FDIC travelers could not withdraw more than approximately $2,250 on a monthly basis, an amount of cash that appears to be reasonable to cover per diem and other non-charged travel expenses in that timeframe.

• Pre-exit Clearance Process Card Cancellation/Collection. We compared travel card account status records with current National Finance Center employment records through database queries to verify that travel card accounts of departed employees were no longer active. Any active accounts of departed employees would be identified in the output of our electronic query. We noted that the travel card accounts of departed employees had been closed appropriately and that those accounts carried a "closed account" designation in the DOF ESS travel card information application database. The FDIC’s pre-exit clearance procedures work properly.

  There are several Bank of America automated procedures to mitigate the possibility of departing employees continuing FDIC-issued travel card use. The Bank of America restricts excessive spending by maintaining $15,000 credit limits per each FDIC-issued travel card. Thus, the total exposure to loss cannot exceed $15,000. Further, the Bank of America, not the FDIC, is responsible for unpaid balances. The FDIC continues to face the potential negative impacts of delinquent and unpaid balances affecting public confidence in the Corporation as the bank regulatory authority. Nevertheless, the FDIC is not subject to financial loss through the travel card program. A final Bank of America procedure, administered by the FDIC on behalf of the Bank of America, is the Salary Offset Program summarized in Circular 2500.3. Although never used to date, the FDIC is authorized to establish salary offsets to assist with repayment of unpaid charge card balances, in accordance with General Services Administration rules in implementing the Travel and Transportation Act of 1998. This control would be most effective for recently departed employees to whom the Corporation may not have fully paid all amounts due in terms of final salary, accrued leave, retirement amounts, etc.

We performed our audit from April through July 2002 in accordance with generally accepted government auditing standards.

Source: Employee Services Section, Division of Finance

[This image appears in the non-508-compliant version of the audit report.]

Text description of appendix II figure: Various users and providers interact within the context of the FDIC Travel Card Program. The various parties and their functions are as follows: Vendors accept the travel card and receive payment from Bank of America. Bank of America does the billing, paying, reporting, restrictions, and account cancellation/suspension. FDIC employees fund official travel and manage spending limits. FDIC DOF answers inquiries, authorizes use, and monitors/administers. FDIC offices/divisions review reports, monitor use, and initiate disciplinary actions. The Labor Employees Relations Section works with divisions/offices regarding disciplinary actions/counseling. Each of these parties interact with each other as follows: The Bank of America interacts with vendors, FDIC DOF, and FDIC employees. FDIC DOF and FDIC employees interact with each other. FDIC offices/divisions interact with FDIC DOF and FDIC employees. Finally, the Labor Employees Relations Section interacts with FDIC offices/divisions.