|
FDIC Travel Card Program
DATE: August 30, 2002 TO: Fred S. Selby, Director, Division of Finance; and Arleas Upton Kea, Director, Division of Administration FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits SUBJECT: FDIC Travel Card Program (Audit Report Number 02-030) The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has completed an audit of the FDIC’s travel card program. In May 2000, we issued another audit report regarding the FDIC’s travel card program. (Note: FDIC OIG Audit Report No. 00-015, Audit of the Corporation’s Procurement and Travel Card Programs, dated May 24, 2000.) Our May 2000 report concluded that the Bank of America was not providing timely, accurate, and usable card activity data, and the FDIC was quickly reinstating charge card privileges to employees whose cards had been cancelled due to delinquency or misuse. Subsequently, the Corporation took action to address these concerns. In September 2001, we received a specific request from Senator Charles E. Grassley, Ranking Member, U.S. Senate Committee on Finance, regarding the FDIC’s use of government charge cards. The objective of this current audit was to determine whether the FDIC had implemented effective internal control over its travel card program. Appendix I provides details of our scope and methodology. (Note: The five standards for internal control in the federal government as prescribed by the U.S. General Accounting Office (GAO) in Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999) are: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communications, and (5) monitoring. These standards provide a general framework. In implementing these standards, management is responsible for developing the detailed policies, procedures, and practices to fit their agency’s operations and to ensure that they are built into and an integral part of operations.) BACKGROUND Through the FDIC’s travel card program, the Corporation issues Bank of America charge cards to FDIC travelers primarily to reduce travel administration costs to the agency, ensure proof of eligibility for travelers to obtain government rates, and eliminate travelers’ loss of personal credit capacity. In 1983, the government implemented the travel card program for federal employees. The FDIC’s participation in the travel card program dates back to 1990 and was adopted in large part because the FDIC realized operational cost efficiencies. For example, the FDIC determined that the cost of reimbursing travelers’ Automated Teller Machine (ATM) fees would be less than the cost of funds associated with the Corporation’s prior policy of advancing each traveler $1,500. FDIC Circular 2500.3, FDIC-Sponsored Government Travel Card Program, dated June 14, 2001, gives the FDIC Division of Finance (DOF), Employees Services Section (ESS), responsibility to oversee employees’ charge card use. ESS is responsible for the following:
Circular 2500.3 also provides that the Division of Administration’s Labor Employee Relations Section determines possible counseling or disciplinary action from ESS and division/office referrals. Disciplinary actions can be as severe as removal from employment. Official travelers must use the card only for official travel-related services, pay monthly bills in full by the billing statement due dates, and comply with FDIC travel policies regarding the travel card. (Note: An employee may use the travel card to charge expenses for official travel authorized by the FDIC as outlined in the FDIC’s GTR. Official travel expenses are generally defined as those that will be reimbursed by the FDIC (e.g., transportation and lodging, meals, vehicle rentals, etc.). FDIC Circular 2510.4, the GTR, documents official travel expenses that will be reimbursed by FDIC.) The Bank of America administers FDIC travelers’ travel cards and provides monthly travel card account data and annual travel card program summaries through its contract with the FDIC. ESS and FDIC administrative officers receive monthly reports showing statement activity and delinquency information for individual traveler accounts. Travelers receive monthly account statements by mail and may also access their accounts electronically through Bank of America’s online account management system, Electronic Account Government Ledger System. The FDIC’s ESS reviews the monthly Bank of America information to ensure that FDIC travelers are complying with travel card policy guidance in FDIC Circular 2500.3. The Bank of America also cancels card privileges if travelers’ balances reach specified delinquent statuses. The FDIC contract with the Bank of America is governed by the overall General Services Administration (GSA) SmartPay Master Contract. Under the terms of the SmartPay Master Contract, the government accepts no liability for charges made against individually billed accounts. We make further reference to the Bank of America’s contractual obligation to cover defaults in our Scope and Methodology section, Appendix I. As of May 2002, there were 5,444 open FDIC employee travel card accounts. During calendar year 2001 and the period January through May 2002, FDIC travelers charged approximately $19.3 million and $10.7 million, respectively. Figure 1 below shows the level of travel card use by FDIC division or office and Figure 2 shows the amount of travel card purchases by category. Figure 1: Travel Card Use by FDIC Division [This image appears in the non-508-compliant version of the audit report.] Text description of figure 1: FDIC divisions used travel cards for the calendar year 2001 as follows: Supervision, $10.5 million; Compliance, $2.2 million; Resolutions, $2.0 million; Inspector General, $0.9 million; Legal, $0.9 million; Administration, $0.8 million; Information Resources, $0.5 million; Finance, $0.5 million; and Other, $0.6 million. FDIC divisions used travel cards for the period of January through May 2002 as follows: Supervision, $4.7 million; Compliance, $1.0 million; Resolutions, $2.0 million; Inspector General, $0.5 million; Legal, $0.6 million; Administration, $0.5 million; Information Resources, $0.4 million; Finance, $0.7 million; and Other, $0.4 million. Source: Bank of America Figure 2: FDIC Travel Card Use by Purchase Categories [This image appears in the non-508-compliant version of the audit report.] Text description of figure 2: FDIC travel card use by purchase categories for the calendar year 2001 is as follows: Airfare, $7.1 million; Hotels, $5.1 million; Cash Withdrawals, $2.0 million; Motels/Lodges, $2.0 million; Rental Cars, $0.6 million; Restaurants, $0.2 million; Automobile Fuel, $0.2 million; and Other, $0.6 million. FDIC travel card use by purchase categories for the period of January through May 2002 is as follows: Airfare, $4.1 million; Hotels, $3.1 million; Cash Withdrawals, $1.0 million; Motels/Lodges, $0.9 million; Rental Cars, $0.4 million; Restaurants, $0.1 million; Automobile Fuel, $0.1 million; and Other, $0.3 million. Source: Bank of America RESULTS OF AUDIT In line with the GAO’s standards for internal control, the Corporation has taken necessary steps to implement effective internal control over its travel card program by (1) fostering an environment for appropriate use of travel cards; (2) identifying risks associated with travel card use; (3) establishing policies, procedures, and approval processes for travel card use; (4) coordinating/communicating with the Bank of America and related parties; and (5) monitoring and overseeing the effectiveness of its travel card program. The FDIC’s policies and its monitoring activities, along with Bank of America’s contractual travel card restrictions, serve to mitigate the risk of travel card abuses and potential damage to the public’s confidence in the Corporation as financial institution supervisor and insurer. Effective FDIC internal control is in place to monitor charge card activity, use of ATMs, and timeliness of payments. The FDIC has established a $15,000 credit ceiling on each traveler’s account. Bank of America monitors this credit limit and maintains its own oversight and restrictions on delinquent balances and ATM activity. Both the FDIC’s and Bank of America’s internal control activities help the FDIC effectively manage the program. CONTROL OVER THE TRAVEL CARD PROGRAM The following discussion presents each GAO internal control standard and the corresponding FDIC or Bank of America travel card program activities related to those control standards. Control Environment According to the GAO standards, management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. The FDIC’s control environment includes a formal policy, Circular 2500.3, FDIC-Sponsored Government Travel Card Program, which establishes areas of accountability and informs employees of their travel card responsibilities and the corporate-initiated oversight. That environment is further fostered by FDIC internal review activities, including OIG audits and the Office of Internal Control Management’s (OICM) oversight. (Note: OICM is the corporate oversight manager for internal controls and risk management. OICM seeks to ensure that the FDIC operates within an environment conducive to strong internal control and works in partnership with all FDIC divisions and offices to help them identify, evaluate, monitor, and manage their risks.) In addition, GAO indicates that integrity, ethical values maintained and demonstrated by management and staff, management’s commitment to competence, and good human capital policies all contribute to a positive control environment. In February 2000, the FDIC’s travel card average delinquency rate (all amounts more than 60 days delinquent as a percentage of total amount outstanding on individually billed accounts in a billing cycle) was approximately .75 percent. ESS received compliments from the Bank of America for administering a well-run program as compared to other agencies. For calendar 2001, the FDIC’s average 60-day delinquency rate improved to less than .05 percent. To put that in context, Bank of America’s data shows between a 7- to 10-percent and a 2- to 3-percent delinquency rate for government travel card and commercial charge card calendar year 2001 activity, respectively. For its exceptionally low 2001 delinquency rate, the FDIC received written commendation from Bank of America recognizing the FDIC as a "shining example of the benefits that effective program management can have on a travel program." The positive trend in delinquencies and the agency’s good standing with Bank of America reflect well on the FDIC’s control environment. Risk Assessment GAO directs agencies to provide for an assessment of the risks the agency faces from both external and internal sources. According to GAO, risk assessment involves management’s comprehensive identification of risks associated with interactions between the entity and other parties as well as internal factors at both the entity-wide and activity level. Once an entity identifies its risks, further analysis should include estimating each risk’s significance, assessing the likelihood of its occurrence, and deciding how to manage the risk through appropriate actions. Assessing and managing the risks associated with the FDIC’s Travel Card Program are DOF’s responsibility. Although the FDIC did not complete a formal risk assessment in line with GAO’s description, DOF performs ongoing informal risk assessments to identify travel card program potential control weaknesses. For instance, to address the potential misuse related to retail purchases, the FDIC initiated automated blocking/prohibition of vendor codes during 2001 to prevent non-travel-related purchases with the card. The resulting restricted use of the travel cards prevents travelers from making certain apparent non-travel-related acquisitions, such as jewelry, clothing apparel, building materials, etc. This control eliminated much of the earlier years’ inappropriate travel card activity that resulted from employees mistaking the travel card for another personal charge card and abusing the card unintentionally. During 2001, ESS also began reviewing ATM activity involving 10 or more withdrawals in any monthly cycle to assess whether cash withdrawals are reasonable under the employee’s travel-related assignments. ESS documented these procedures in a written summary of oversight actions used to ensure proper travel card use. Further, Circular 2500.3, FDIC-Sponsored Government Travel Card Program, presents the risks associated with the travel card program, describes the FDIC’s decisions on how to manage that risk, and defines what actions are to be taken to do so. Circular 2500.3 summarizes DOF’s oversight tasks and enables the FDIC to meet GAO’s basic criteria that agencies establish clear, consistent agency objectives and an analysis of relevant risks associated with achieving those objectives. Among inherent charge-card program risks, Circular 2500.3 specifies the FDIC’s greatest risk as the danger of tarnishing the agency’s reputation for professionalism and adherence to the highest ethical standards. The loss of credibility through non-compliance with FDIC’s internal standards, the proper usage of travel cards being one measurement of such internal compliance, could cost the FDIC its ability to maintain public confidence as an oversight authority. The FDIC has designated the ESS to maintain ongoing assessments of the risks associated with the Travel Card Program. Among other activities, ESS outlined the necessary tasks to maintain assurance that risky charge card activities are identified routinely and appropriate action is taken timely. Further, as any problem areas surface through travel card program mishaps, ESS performs an ongoing overall analysis of the travel card program, including identifying program risks and developing internal control actions to prevent the risks from becoming significant noncompliance issues. For instance, ESS oversees initial charge card approvals/issuance; instructs the Bank of America as to which vendor codes should be blocked from use; reviews the Bank of America’s monthly activity reports for payments, card abuses, and anomalies; and initiates card cancellation actions, when necessary. The specific oversight procedures resulting from ESS’s analyses fall under the GAO definition of Control Activities, the next major element of GAO’s Internal Control Standards. Control Activities According to GAO, Control Activities help ensure that management’s directives are carried out through adopting effective and efficient means of accomplishing an agency’s control objectives. The FDIC’s Control Activities include the policy and procedural guidance in Circular 2500.3, which provides policies and procedures for the distribution and use of the FDIC-sponsored government travel card and for internal ESS program oversight. The following list summarizes the FDIC’s Control Activities along with the applicable portion of the GAO Internal Control Standards, in parentheses, related to each activity:
Information and Communications GAO’s Internal Control Standards provide that information should be recorded and communicated to management and to others within the entity who need it. Communications should be in a form and within a timeframe that enables them to carry out their internal control and other responsibilities. GAO also describes effective communication of information as flowing down, across, and up the organization. Stakeholders, such as the Bank of America, having a significant impact on the agency achieving its goals should be included within established communications networks. The FDIC travel card program Information and Communications functions involve the Bank of America, DOF/ESS, FDIC offices/divisions, and FDIC employees. The Bank of America is the central information/communications body within the FDIC’s Travel Card Program. The Bank of America has ongoing communications with vendors, FDIC employees, and FDIC management. For example, the Bank of America provides DOF/ESS and FDIC employees with statements of travel card transactions with vendors. DOF/ESS uses the Bank of America data to monitor FDIC employee travel card usage. Appendix II of our report provides a chart that shows how Travel Card Program information flows from and to the parties sponsoring and using official travel cards. The chart illustrates that the FDIC’s program provides, in GAO’s language, "useful, reliable, and continuous recording and communication of information." Further, the chart identifies the separation of duties among affected groups, a fundamental premise of good internal control. Monitoring Per GAO, internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. Ideally, monitoring should be ongoing and done in the course of normal operations. Monitoring includes policies and procedures, audits and other reviews, and prompt resolutions of findings. The FDIC has continuous oversight of its travel card program through activities in three FDIC Offices/Divisions. The Division of Finance administers the program, and part of its administrative task is to monitor travelers’ use of the cards. The Bank of America provides monthly travel card account data and annual travel card program summaries to the FDIC’s ESS. ESS then reviews the periodic Bank of America information to ensure that FDIC travelers are complying with travel card policy guidance issued by the FDIC. In addition, the OIG conducts audits of the Travel Card Program, as part of the OIG’s ongoing audits of FDIC’s operations. The OIG issued its most recent audit report of the program in May 2000 (see footnote 1 to our report). In that report, the OIG concluded that major travel card program concerns at that time involved Bank of America not reporting activity data timely and FDIC reissuing temporarily canceled cards prematurely. The OIG recommended corrective actions for both conditions and subsequently determined that DOF implemented the recommended corrective actions for both conditions. Also, OICM conducts periodic independent reviews of the internal control structure over the Travel Card Program. Like the previous OIG audit effort, OICM’s latest review was also performed during calendar year 2000. In February 2000, OICM noted that internal and external systems problems at the Bank of America resulted in ESS’s inability to generate reports during 1999. OICM also noted that ESS expected reports to start being distributed on a regular basis and that regular distribution and followup represent a good control point in the travel card program. ESS did begin receiving those reports in early 2000. OICM did not have any recommendations to enhance the program at the time of its February 2000 review. APPENDIX I SCOPE AND METHODOLOGY Our audit objective was to determine whether the FDIC has implemented effective internal control over its travel card program. The FDIC’s DOF has been monitoring the corporate travel card program since 1993. Our audit scope covered calendar year 2001 and the period from January through May 2002. Our audit results were based on audit tests of the FDIC’s accounting records, internal management reports, and interviews with FDIC and Bank of America officials. GAO’s Internal Control Standards were used to conclude as to the adequacy of FDIC control activities. Based on our risk assessment, we determined that the following control activities were key to reducing the risk of improper card usage:
Accordingly, we focused our testing on the above three control activities. In the testing process, however, our testing procedures included reviews of additional related control activities having similar safeguarding mechanisms to the three control activities selected. Our comments below indicate when and how interrelationships among control activities became part of our testing.
The FDIC’s control environment over travel card retail charges is enhanced by both FDIC and Bank of America control activities other than the blocking and monitoring procedures tested. Several of these additional controls are: The Bank of America’s automated restriction on ATM usage serves as a corresponding control to ESS’s ATM frequent-use review. At the FDIC’s option, the Bank of America limits ATM use on daily, weekly, and monthly bases. During our audit scope, FDIC travelers were restricted to $250 ATM daily withdrawals and $500 per week. Under those conditions, FDIC travelers could not withdraw more than approximately $2,250 on a monthly basis, an amount of cash that appears to be reasonable to cover per diem and other non-charged travel expenses in that timeframe. There are several Bank of America automated procedures to mitigate the possibility of departing employees continuing FDIC-issued travel card use. The Bank of America restricts excessive spending by maintaining $15,000 credit limits per each FDIC-issued travel card. Thus, the total exposure to loss cannot exceed $15,000. Further, the Bank of America, not the FDIC, is responsible for unpaid balances. The FDIC continues to face the potential negative impacts of delinquent and unpaid balances affecting public confidence in the Corporation as the bank regulatory authority. Nevertheless, the FDIC is not subject to financial loss through the travel card program. A final Bank of America procedure, administered by the FDIC on behalf of the Bank of America, is the Salary Offset Program summarized in Circular 2500.3. Although never used to date, the FDIC is authorized to establish salary offsets to assist with repayment of unpaid charge card balances, in accordance with General Services Administration rules in implementing the Travel and Transportation Act of 1998. This control would be most effective for recently departed employees to whom the Corporation may not have fully paid all amounts due in terms of final salary, accrued leave, retirement amounts, etc. We performed our audit from April through July 2002 in accordance with generally accepted government auditing standards. APPENDIX II FDIC TRAVEL CARD PROGRAM INTERACTIONS AMONG USERS AND PROVIDERS Source: Employee Services Section, Division of Finance [This image appears in the non-508-compliant version of the audit report.] Text description of appendix II figure: Various users and providers interact within the context of the FDIC Travel Card Program. The various parties and their functions are as follows: Vendors accept the travel card and receive payment from Bank of America. Bank of America does the billing, paying, reporting, restrictions, and account cancellation/suspension. FDIC employees fund official travel and manage spending limits. FDIC DOF answers inquiries, authorizes use, and monitors/administers. FDIC offices/divisions review reports, monitor use, and initiate disciplinary actions. The Labor Employees Relations Section works with divisions/offices regarding disciplinary actions/counseling. Each of these parties interact with each other as follows: The Bank of America interacts with vendors, FDIC DOF, and FDIC employees. FDIC DOF and FDIC employees interact with each other. FDIC offices/divisions interact with FDIC DOF and FDIC employees. Finally, the Labor Employees Relations Section interacts with FDIC offices/divisions. |
Last Updated 09/05/2002 |
|