The objective of this audit was to assess whether agencies had effectively administered credit cards, including having complied with legislative and internal requirements.
Commonwealth credit cards1 were introduced for use in Australian Government agencies in 1987 following the then Government's acceptance of a recommendation of an efficiency scrutiny on the processing of accounts, that credit cards should be used whenever possible to purchase or pay for goods and services.2
Credit cards enable agencies to purchase some goods and services with reduced administrative costs, and greater convenience and flexibility for staff, compared to using cash or cheques. However, the use of credit cards can expose agencies to risks of inappropriate or unauthorised expenditure. Agencies therefore should establish controls to effectively manage these risks. Such controls include informing cardholders of their obligations when using credit cards and having risk-based processes to check the validity of credit card expenditures. Once established, processes and controls within this framework should remain streamlined and effective.
Agencies generally use credit cards for services such as taxis, travel, accommodation and hospitality, as well as for small purchases of stationery stores, technical equipment and other goods. Credit cards are typically used for a large number of small transactions. Agencies usually establish their own credit card arrangements with banks or other card issuing bodies.
The total level of credit card expenditure by agencies is not publicly reported, and so is not readily estimated. However, credit card expenditures can be considerable, with some agencies spending tens of millions of dollars on purchases.
Legislation and guidance related to credit cards
Requirements relating to the use of credit cards3 are provided in the Financial Management and Accountability Act 1997 (FMA Act), Financial Management and Accountability Regulations 1997 (FMA Regulations) and Financial Management and Accountability Orders 2005 (FMA Orders). These requirements relate to such things as the need to make efficient, effective and ethical use of Commonwealth resources, ensuring all expenditure is appropriately authorised and the imposition of penalties on misuse of Commonwealth credit cards. Under the Fraud Control Guidelines one of the core areas that agencies' fraud risk assessments must cover is the use of Government credit cards.4
Chief Executive's Instructions (CEIs) generally provide guidance on the use of Commonwealth credit cards within individual agencies. The Department of Finance and Deregulation (Finance) has issued guidance on the development of CEIs in relation to credit cards.5
Framework for the management of credit cards by Australian Government agencies
While recognising legislative requirements and guidance on CEIs, approaches to using and administering cards and designing an effective control framework can vary between agencies, depending on the nature of the operations of the agency and the approach by management to purchasing arrangements. A mature framework governing the management of credit cards in APS agencies typically includes the administrative arrangements outlined in Figure 1.
Note: (A) Agencies should periodically review key elements of the framework to help ensure controls remain effective. This can be done as part of an agency's broader review processes or internal audit activity (as discussed in Chapter 4).
Source: Australian National Audit Office (ANAO).
The objective of this audit was to assess whether agencies had effectively administered credit cards, including having complied with legislative and internal requirements.
The audit examined Commonwealth credit cards used in each of the four selected agencies. The audit did not examine specialist cards, such as fuel cards.
Audit coverage and methodology
The four Australian Government agencies involved in this audit were the Department of Human Services, the Department of Agriculture, Fisheries and Forestry, the Department of Broadband, Communications and the Digital Economy and the Australian Competition and Consumer Commission.
To address the audit objective, the ANAO reviewed arrangements in place for the management and use of credit cards. The audit focussed on processes and controls over the issue of cards (including lost and stolen cards) and the approval, payment and acquittal of credit card expenses.
The audit methodology included an examination of credit card policies and procedures, training activities, and monitoring and control arrangements. The examination was undertaken by reviewing documentation, interviewing staff and undertaking audit testing. A sample of transactions was tested to ensure they satisfied legislative and internal requirements.
Following the conduct of audit fieldwork, each audited agency was provided with a management report detailing audit findings, conclusions and recommendations for improvement.
The use of Commonwealth credit cards to purchase mainly low-value goods and services involves relatively mature and straightforward financial processes. Control frameworks of Australian Government agencies are designed to mitigate risks of inappropriate or fraudulent use of cards. It is important that control frameworks are effective, as the misuse of credit cards can attract substantial public interest and reflect poorly on the ethical culture of an agency.
The combined effect of policies, procedures and administrative actions provided generally sound controls over the issue and cancellation of Commonwealth credit cards for all four agencies examined. These agencies had: established frameworks for providing guidance about issuing and cancelling credit cards that were integrated effectively into broader administrative arrangements; provided guidance for relevant staff that explained administrative actions required to apply for and return a credit card; and generally issued and cancelled cards in accordance with these policies and procedures. To help ensure cardholders are made aware of their obligations prior to using cards, there would be merit in one agency revising processes by having new (or re-issued) credit cards sent to the credit card administrator rather than directly to the cardholder.
In addition to providing adequate guidance about issuing and cancelling credit cards, the four agencies' policy and procedural documents provided specific guidance on credit card use. Cardholders, supervisors and credit card administrators at these agencies generally had a clear understanding of their responsibilities when using credit cards. To further inform staff of these responsibilities, there would be benefit in three of the agencies updating guidance to supervisors/managers on key matters to consider when reviewing monthly credit card statements. There would also be benefit in three agencies providing greater training to administrative support staff who prepare monthly credit card statement reconciliations.
Testing of credit card transactions demonstrated that the effectiveness of controls7 over the use of Commonwealth credit cards varied across the audited agencies. These controls were generally effective in two agencies and moderately effective in another agency. However, one agency specifically required improvement, as the ANAO found that almost one quarter (23 per cent) of transactions were not administered in accordance with legislative or internal requirements. Across the agencies, where the ANAO found instances of poorly operating controls they typically arose from: failure of the cardholder to obtain proper approval for expenditures and to retain sufficient supporting documentation; and inadequate credit card reconciliation statements, which were not completed correctly, supported by appropriate documentation and verified by the cardholder and independent reviewer.
The audit did not identify inappropriate expenditure or fraud in any of the audited agencies but does refer to Finance analysis of Certificate of Compliance returns regarding non compliance with requirements relating to credit cards. The ANAO considers that all audited agencies need to strengthen key controls over credit cards to further reduce the risk of misuse of credit cards. More broadly, it is important that all agencies ensure that cardholders and other relevant staff comply with controls over the use of Commonwealth credit cards.
It is also important that agencies obtain value for money from their credit card provider. Two of the audited agencies had established an appropriate arrangement with their credit card provider, which included a specific contract. The other two agencies did not have a contract with a credit card provider, although one of these agencies did have a copy of the terms and conditions under which the credit card facility was made available. It would be timely for these two agencies to review whether it was appropriate to: continue with their current provider under the current terms; revise the terms and conditions with the current provider; or assess the merits of approaching the market for the provision of credit card services.
Key findings by chapter
Issuing and Cancelling Credit Cards (Chapter 2)
Issuing Commonwealth credit cards to appropriate staff in a timely way supports efficient and effective purchasing. Cancelling a card immediately after a staff member has no further operational requirements for it, reduces the risk of the card being misused.
The ANAO found that the frameworks for providing guidance relating to issuing and cancelling credit cards in the four agencies were generally sound, as they were based on a hierarchy linking CEIs to detailed procedural rules and credit card agreement and acknowledgement forms.9
Two of the audited agencies had detailed guidance on processes to be followed by Finance unit staff issuing credit cards. There would be benefit in the other two agencies documenting preferred approaches to processing credit card applications, as they are often undertaken by inexperienced officers in the Finance unit.
Audited agencies typically did not have guidance specifying processes that help ensure the credit card administrator is informed when staff were leaving the agency. To support the timely cancellation of credit cards and recovery of any outstanding expenditure, there would be benefit in separation certificates10 including a requirement for cardholders to return credit cards on departure from an agency.
The ANAO tested 189 credit card applications across the four agencies to determine whether they were processed in accordance with internal processing requirements. This testing found that all processes related to issuing cards had occurred appropriately for three agencies. The other agency had a small number of missing records related to a relatively short period immediately after the agency was established.
ANAO testing also found that the cancellation process had been completed properly at all agencies, including that cards had been destroyed, and no transactions had been entered into after cards were cancelled.
Guidance and Training Related to Purchases with Credit Cards (Chapter 3)
To minimise risks associated with credit card expenditures, agencies require an appropriate control framework covering a broad range of staff. A key element of the control framework is that agencies have policies and procedural documents with specific guidance as to the nature of reasonable credit card use, especially relating to sensitive items such as travel and hospitality.
Three agencies had adequately documented business processes undertaken by the Finance unit to administer credit card expenditures. This was accomplished through various means such as manuals and intranet based guidance. However, one agency did not document the checking process that occurred when processing monthly credit card statements or the reconciliations (and necessary follow up action) that should be undertaken within the Finance unit. Providing that business processes have been appropriately documented, on the job training is likely to be sufficient for Finance unit staff to effectively administer credit card expenditures, particularly relating to monthly cardholder statements and reconciliations.
Agencies generally provided instruction to employees when they were first provided with a card. The cardholder was required to sign a form (often called an agreement and acknowledgement form) that covered a number of requirements regarding card use and related administration. The two agencies that used computerised systems to assist the administration of credit cards also had extensive guidance related to these systems, with one of these agencies providing cardholders with an online tutorial on credit cards as well as individual or group training for Canberra based staff.
Each agency made considerable effort to address the requirements of FMA Regulation 9 in regard to the use of credit cards.11 One agency gave all cardholders FMA Regulation 9 delegations, another agency issued guidance that required the cardholder to have a FMA Regulation 9 delegation or have the expenditure approved by an appropriate delegate. The other two agencies required documented prior approval by an appropriate approver for certain expenditure but had considered that FMA Regulation 9 approval could be obtained as part of the monthly credit card reconciliation process in other instances. The ANAO considers that such expenditure contravenes FMA Regulation 1312 and agencies need to amend processes to help ensure expenditure is approved in accordance with relevant FMA Regulations.
The ANAO notes, however, that in some instances appropriate verbal approvals may have been obtained.
If approval of a proposal to spend public money is not given in writing, FMA Regulation 12 requires the approver to record the terms of the approval in a document as soon as practicable after giving the approval. However, where there is no documented approval and agencies relied on a FMA Regulation 9 delegate signing the cardholder's monthly reconciliation statement it could not be known with certainty whether this delegate had originally provided prior oral approval. If he or she was not the approver, then the documentation did not satisfy FMA Regulation 12.
The ANAO found that there was generally scope to improve guidance to staff reconciling monthly credit card statements. In particular, agency guidance material generally did not clearly outline the role of staff reviewing monthly credit card statements that were submitted by cardholders. For example, one agency required reviewers to check monthly statements for accuracy or anomalies, but gave no guidance on how to do this.
Guidance provided by each of the agencies included provisions that advised cardholders of sanctions that applied in the case of misuse or abuse of credit cards (for example, fraud). However, this guidance typically did not specify what sanctions, if any, would be taken against cardholders who repeatedly did not comply with other responsibilities as cardholders (for example, timely reconciliation of statements or attaching relevant source documentation). The ANAO considers that agency guidance would be enhanced if there were an explicit explanation of the steps to be taken if cardholders, supervisors/reviewers and Finance unit staff do not carry out their administrative responsibilities as a cardholder in a diligent and timely manner.
In all audited agencies, administrative support staff were able to process monthly reconciliation statements on behalf of the cardholder,13 although the cardholder was still required to sign and confirm the statement. However, the extent to which agencies provided training to these staff varied considerably. One agency trained administrative support staff to process monthly credit card statements, while another provided training to regional administrative staff but not usually to executive assistants. The other two agencies did not provide specific training to administrative support staff or executive assistants on credit card administration. To provide effective control over credit card expenditures, it important that agencies adequately train all staff processing monthly credit card statements and undertaking associated tasks.
Controls Over Credit Card Expenditure (Chapter 4)
The ANAO tested whether each agency had established effective controls over credit card expenditures.14 Key controls involve requiring approvals prior to credit card expenditure, setting expenditure limits, requiring appropriate supporting documentation and reviewing monthly reconciliation statements. The ANAO concluded that the effectiveness of controls varied considerably across audited agencies.
In testing whether credit card transactions had been approved by a FMA Regulation 9 delegate, the ANAO found that:
- the agency that gave all credit card holders FMA Regulation 9 delegations for credit card purchases less than $2000 had appropriate FMA Regulation 9 approvals in all cases except one where the transaction exceeded the $2000 limit;
- in the agency that required cardholders to have a FMA Regulation 9 delegation or to obtain written approval from an appropriate delegate prior to a credit card purchase, there was not a clear documented record of appropriate FMA Regulation 9 approval for around one third of transactions examined. It is possible that appropriate verbal approval was provided in these cases but this could not be known with certainty; and
- two agencies did not require documented approval for all forms of credit card expenditure,15 and in these instances approval could not be known with certainty.
ANAO testing found that no credit card transactions exceeded established card limits in three agencies (see Table 1). In the other agency, a small number of transactions exceeded the transaction or monthly limits. One of the main reasons for this was that the agency lowered cardholders' transaction limits in agency records but did not advise the credit card provider.
Notes: (A) Based on examination of 628 credit card transactions across four agencies.
(B) The transaction and monthly limits were the same in agencies A and D.
One agency with over 10 per cent of tested credit card transactions that did not have appropriate supporting documentation (Agency A in Table 1) had guidance stating that supporting documentation was required for all transactions above $50 to satisfy goods and services tax requirements. An unintended consequence of this guidance was a perception by some cardholders that receipts were not required for transactions less than $50. The agency advised the ANAO that it will revise guidance to avoid this misunderstanding, as well as implement procedures to more closely scrutinise documentation supporting credit card statements.
To reinforce the importance of legislative compliance, Chief Executives of FMA Act agencies are required to provide a completed Certificate of Compliance.16 The Department of Finance and Deregulation analysed Certificates provided by 92 FMA Act agencies for the 2006–07 financial year. This analysis revealed a total of 268 breaches of the FMA Act and associated legislation reported by 18 agencies relating to the misuse of credit cards. This was a relatively low incidence given that millions of credit card transactions were made by the 92 FMA Act agencies. The majority (84 per cent) of instances of non-compliance with the FMA Act and related legislation involving credit cards were reported under Section 60 of the FMA Act.17 Three agencies reported 81 instances of non-compliance relating to credit cards due to alleged fraudulent activity. All 81 instances resulted in internal fraud investigations, with 16 (20 per cent) of those instances resulting in the employee's resignation or prosecution.
All four audited agencies required the cardholder and an independent reviewer to sign the credit card reconciliation statement. ANAO testing found that all cardholders and reviewers had signed monthly credit card reconciliation statements in two agencies. However, testing in the other two agencies revealed that these controls were not effectively implemented as almost 10 per cent of monthly credit card reconciliation statements were not signed by the cardholder or reviewer. This finding emphasises the importance of agencies clarifying requirements of staff reviewing monthly credit card statement reconciliations, to help ensure these reviews are effective.
The main reason for the relatively high reported processing error rate for one agency in coding credit card transactions was the lack of sufficient supporting documentation to verify correct accounting for tax purposes and appropriate recording in the agency's financial management information system (FMIS).
Managing the Relationship with the Card Provider (Chapter 5)
To obtain value for money from a credit card facility, two agencies undertook a tender process and entered into contractual arrangements with the preferred card provider. These contracts clearly specified responsibilities of the agency and card provider, and included arrangements to review the provision of the service at the conclusion of the contractual period.
The other two agencies did not have a contract with their credit card provider, although one had a copy of the terms and conditions under which the credit card facility was made available. An immediate consideration for both these agencies is to place their relationship with the provider of their Commonwealth credit card facility on a basis that properly reflects the service provided. There would also be merit in these two agencies reviewing existing credit card arrangements to decide whether it is appropriate to: continue with their current provider under the current terms; revise the terms and conditions with the current provider; or assess the merits of approaching the market for the provision of credit card services.
All agencies advised of regular communication with the credit card provider in relation to day-to-day operational matters. Finance unit staff of all agencies identified no particular difficulties dealing with card providers.
Sound and better practices
Table 2 Sound and better practices for administering credit cards
The report makes four recommendations based on findings from fieldwork at the audited agencies and broader audit analysis, which are likely to be relevant to all APS agencies. Therefore, all APS agencies should assess the benefits of implementing the recommendations in light of their own circumstances, including the extent that each recommendation, or part thereof, is addressed by practices already in place.
Summary of agencies' responses
Each of the audited agencies agreed with the four recommendations.
1 A Commonwealth credit card is defined in Section 60 (3) of the Financial Management and Accountability Act 1997 to be a credit card issued to the Commonwealth to enable it to obtain cash, goods or services on credit.
2 Department of Finance 1995, The Australian Government Credit Card (AGCC), A Guide on Best Practice, Revised and Reissued.
3 Key legislation pertaining to credit cards includes FMA Act sections 38, 44 and 60, FMA Regulations 9 13 and 21 and FMA Order 2.5.
4 Minister for Justice and Customs 2002, Commonwealth Fraud Control Guidelines 2002, Guideline 3 paragraph 3.9.
5 The guidance was issued by the then Department of Finance and Administration, Finance Circular
No. 2004/15 Guidance on the Development of Chief Executive's Instructions, 2004, available at <www.finance.gov.au/finframework/docs/Attachment_to_FC_2004-15.rtf>.
6 The Department of Broadband, Communications and the Digital Economy was established under the Administrative Arrangements Order of 25 January 2008. This audit was largely undertaken in 2007 in the then Department of Communications, Information Technology and the Arts, prior to the formation of the new department. The processes for the administration of credit cards being used in the new department were similar to those that existed in its predecessor department.
7 Key controls included the proper approval of expenditures, transactions being supported by appropriate documentation and monthly credit card statement acquittals being signed by the cardholder and an independent reviewer.
8 Procedural rules provide detailed operational arrangements relating to policies set out in CEIs. They are usually issued by an agency's Chief Financial Officer, and can be either compulsory or discretionary.
9 Agreement and acknowledgement forms are typically signed by a cardholder when they receive their credit card. They list key responsibilities of the cardholder, and can also refer to other guidance to be followed.
10 These are routinely required by agencies and cover matters such as security passes, assets on issue (for example phones) and Commonwealth credit cards.
11 FMA Regulation 9 requires an approver to satisfy himself or herself that the particular spending proposal accords with the policies of the Commonwealth and will make efficient and effective use of public money.
12 FMA Regulation 13 requires that a person must not enter into a contract, agreement or arrangement under which public money is, or may become, payable unless a spending proposal for the proposed contract, agreement or arrangement has been approved under the relevant FMA Regulations.
13 In this regard, administrative support staff typically fill out the details required on the cardholders monthly reconciliation statement including: coding information if known; attaching relevant supporting documentation supplied by the cardholder; and returning it to the cardholder for signature.
14 To estimate credit card processing error rates, the ANAO obtained each agency's transaction data for the 2006–07 financial year and selected in total a sample of 628 transactions stratified by transaction size, type and frequency.
15 However, these agencies had strong controls related to the monthly credit card reconciliation process.
16 A Certificate of Compliance consolidates a range of existing agency reporting requirements, and is intended to provide a comprehensive overview of the agency's compliance with the Australian Government's financial management framework.
17 Section 60 of the FMA Act specifies that cardholders must not use a Commonwealth credit card to obtain cash, goods or services otherwise than for the Commonwealth unless use is authorised by the Finance Minister's Orders and the Commonwealth is reimbursed in accordance with these Orders.