GSA SmartPay Conference Citi Support: Techniques for Establishing a Successful Audit Process David Ruda Citi Commercial Cards, Government Services
The Tenth Annual GSA SmartPay Conference Towards New Horizons! Denver, Colorado July 22 nd - July 24 th, 2008
Goals and Objectives Learn about techniques that will help you proactively manage your card program and be prepared for an audit
Agenda 1. Establishing an Audit Program 2. Tips for Establishing Policies and Procedures 3. Compliance 4. Fraud, Waste and Misuse Indicators 5. Tools 6. Summary
Basic Card Program Building Blocks 6 steps to remember Sourcing transparency and knowing your contract terms and conditions Order Placement match cardholder controls to your ordering guidelines Payment and Settlement use automation and default accounting codes when you can Reconciliation critical to have proper procedures in place Control and Audit important to have visibility into spending and know your triggers of when to audit Reporting back data integration, vendor spending reviews
Establishing an Audit Program Why? GAO s Mandate Strengthen Internal Controls Ability to Detect Fraud, Waste and Abuse Create your team Get your stakeholders involved Use technology when you can Mandate training Start before the card is used Peer Reviews
Audit Program - Start Where the Problems Are! Purchase Cardholder reconciliation Approving Official review Split/Fragmented Payment Exceeded Cardholder Authority Training Program Travel Delinquencies Expense Report Submission Cash advances Declined authorizations Appropriate Travel Management Centers (TMC) Use of GSA City Pair Airfare Training Program
Main Components of an Audit Program THE TOP THREE! Ongoing Card Program Reviews Document Retention Audits Internal Periodic Audits
Ongoing Card Program Reviews Frequent card program reviews (e.g. weekly or monthly) should be conducted by the Program Administrator to identify any misuse Items to watch for: Split transactions (i.e. two or more transactions which show the following similarities: same date, same supplier, same cardholder, and same amounts) Unusual increase in the cardholder s average spend and/or highest spend amount Purchase amounts over transaction limits Purchase amounts within one percent to three percent below purchase limits Purchases with unauthorized suppliers
Document Retention Audits AOPCs should also conduct periodic audits to ensure compliance with the your documentation and retention policies. A documentation and retention audit specifically includes: Confirmation that all cardholders have completed the mandatory cardholder training Verification that all cardholders have a signed, up-to-date Cardholder Agreement on file Analysis of all records to ensure that all card program or user profile changes are properly documented Review of card statements to ensure that cardholders are retaining purchase receipts with the statements
Internal Periodic Audits Internal audits should be performed periodically and include a review of card statements. Card statements should be audited for: Compliance with review, approval, and documentation/retention policies Frequency of exception requests (e.g. transaction limits and MCC blocks) Purchases with non-compliant suppliers and spend types
Internal Periodic Audits Finding the High Risk Population! Perform a random sample Start with 5 10 percent of active cardholders Include 50% of at risk cardholders At-risk cardholders typically meet one or more of the following criteria: Review high-dollar transactions Review high frequency of transactions within the billing cycle Look a prior history of non-compliance (e.g. spend with unauthorized suppliers or blocked MCCs)
Tips for Establishing Policies & Procedures: Policies Should Encourage Risk Management vs. Risk Avoidance Set specific policies to ensure proper controls are in place Create cross-functional team when establishing policies Involve auditors, IG representatives Publish procedures and widely distribute Develop agency-wide newsletters Use your intranet Incorporate policies into new cardholder training Use policies as the outline for training agenda
Tips for Establishing Policies & Procedures Develop reminder messages for all cardholders and managers Use statement messages or broadcast e-mails Review policies and procedures at least annually Modify according to audit findings and feedback received during training sessions
Tips for Establishing Policies & Procedures: Suggested Items for Your Formal Guidelines Who should / should not have cards How to obtain, change and close an account Training requirements References to FARs Don t buy list Supply sources Reconciliation procedures
Tips for Establishing Policies & Procedures: Suggested Items for Your Formal Guidelines Audit procedures and frequency Review actual fraud / misuse cases Applying authorization controls Use MCC blocks to assist with enforcement of don t buy list Limit spending within MCCs Review transactions and modify as necessary
Compliance - Good training and Follow-Up What is the notification and follow-up process? Is non-compliance the result of overly strict policies? Is non-compliance the result of vaguely worded policies? Empower cardholders and managers, and hold them accountable Current cardholders and managers should participate in recurring training Ask current cardholders to lead training sessions or mentor new cardholders
Compliance - Record Keeping & Document Retention Records measure compliance Determine whether centralized / de-centralized storage is appropriate Investigate electronic storage Review proper record keeping techniques during training using actual examples Maintain attendance sheets from each training session Ensure all cardholders sign an agreement
Program Audit Tool New for SmartPay 2!! Program Audit Tool an audit, assessment and compliance assistance tool Electronic record of enforcement of policies Identifies Transactions of Interest that meet pre-defined business rules Allows AOs, APCs and auditors ability to identify misuse, abuse and perform monthly audit requirements Rules-based filters Dashboard summary view Report cards Integrated with Citibank Custom Reporting System (CCRS)
Account Management Exceptions Account credit limit in excess of <X> Single transaction limit in excess of <X> Account Cash limits over <X> Account Cash limits over <X>% of total Account Credit Limit New account not activated within 30 days of open date New account not used within <X> months of account open date # of cardholder accounts per hierarchy unit <X> # of cardholder accounts per billing account <X> # of inactive accounts per billing account; inactive = no activity for Y months NSF payment NSF payment with history of other NSF Posted payment amount that is <X>% of cardholder credit limit (111% recommendation)
Transaction Exception Rules Posted Transactions (s) causing over cardholder credit limit status Merchant city = cardholder account city <X>% of transaction from same merchant over <Y> billing cycles More than <X> # of merchant credits per billing cycle Merchant name = last name of cardholder Transaction amount in excess of account Single Credit Limit Single transaction amount within <X>% of credit limit Transaction amount over $<X> Posted transaction on closed account Suspect Merchant Names <X> Split Ticket -- multiple trans from same merchant, same tran date
Program Audit Tool
Program Audit Tool - Rules
The Program Audit Tool The Stop Light!
Program Managements is Easier with the Right Tools Here are some ideas: Employ electronic audit methods Test all transactions each month Use Citibank electronic tools to identify transactions requiring more research Transactions by MCC Review declined transactions Similar transactions each month GSA s Blueprint for Success GAO Web site: www.gao.gov Auditing and Investigating the Internal Controls of Government Purchase Card Programs (Publication no: GAO-03-678G)
Summary Establishing your program Good policies and procedures Spotting fraud, waste and misuse Tools you can use
Reminders Thank you for attending this session Visit the Citi Welcome Center Exhibit Area Entrance, Sheraton Denver Conference Slide Show come see yourself shine Visit the Citi One-on-One Mini-Sessions Governor s Square Rooms 10 and 11 Please take a moment to complete your GSA survey for this session 27 go to View, Header and Footer to set date
IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction"). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor. Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate a financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the existence of and proposed terms for any Transaction. Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independentlydetermine that you are able to assume these risks) as well as the legal, tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you are not relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. By acceptance of these materials, you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirm that no participant in any Transaction shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction. We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided. Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at any time without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative model which represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of the date hereof and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly,we may have a position in any such instrument at any time. Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly or indirectly, a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated for specific recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies and procedures designed to limit communications between its investment banking and research personnel to specifically prescribed circumstances. 2008 Citibank, N.A. All rights reserved. Citi and Arc Design, Citibank and CitiDirect are trademarks and service marks of Citigroup Inc. or its affiliates, used and registered throughout the world.