DSU audit finds issues with state purchasing cards use

DOVER — An audit of Delaware State University’s use of state purchasing cards in fiscal year 2018 found erroneous reporting of transactions, missing documentation and card usage by those who weren’t full-time DSU employees, the state auditor released this week.

The audit of higher education procurement cards — conducted by Auditor Kathy McGuiness’ office following a complaint to the hotline — resulted in 10 recommendations for the university. Delaware Technical Community College was also audited, with no discrepancies found, in February. The University of Delaware declined to be audited.

“The University fully cooperated with the Purchase Card audit for the fiscal year 2018. As noted, the Auditor’s office identified some areas for improvement and identified other issues we have already corrected,” President Tony Allen said in a prepared statement. “Our responses are appended to the Auditor’s report. It is important to note that our fiscal year 2019 audit reflects the substantive improvements we have previously made.” 

Kathy McGuiness

Between the period of July 1, 2017 and June 30, 2018, the audit found that there were internal control weaknesses that could increase the risk of overspending and fraudulent charges, according to the report released Thursday.

The office of the auditor tested 40 random PCard samples and 67 “high risk transaction samples” — meaning transactions that include potential split transactions, PayPal transactions, Delaware hotel usage and more.

To strengthen its policy on the purchasing cards, the office’s recommendations include documenting initial and annual training on card policy and use, update offboarding checklists for terminated employees to include card deactivation, enter all purchases into the general ledger monthly and hold employees accountable for submitting receipts and conduct an internal audit on card processes.

In its statement, Dr. Allen said that in fiscal year 2019, the university began to follow such recommendations, including providing annual refresher training to all cardholders in addition to the required initial training, an annual review of the policy to provide further clarification around prohibited purchases and limiting the use of Purchase Cards to a pre-approved list of full-time employees. 

In the audit, the office found that there was a general lack of adhering to policy. In one case, expenses totaling $462,354 were not recorded in DSU’s general ledger because cardholders at the university didn’t provide monthly documentation on their purchases. This resulted in overspending in the same amount, according to the report.

“The DSU Purchasing Card Program was not followed, and cardholders were not held accountable for providing the documentation to reconcile their accounts,” the report states. “No accounts with transactions outstanding over 30 days appeared to be suspended. Poorly designed and enforced internal control procedures failed to provide timely reconciliation and recognition of expenses.”

According to DSU policy outlined in the report, cardholders should provide documentation within seven days of the card statement being issued, but the audit found that there was a lack of adhering to that deadline.

Of 86 sample transactions, 33% exceeded 40 days from transaction date to final approval. This can lead to “unrestricted expansion of the amount of unreconciled expenses,” the report notes.

In a response included in the audit, DSU officials stated that the university identified the misposted amounts for fiscal years 2018 and 2019 and “reconciled amounts to the department’s current years’ budget where possible.” It added that the university is evaluating how cardholders are held accountable for spending, and controls in its management software.

The audit also found that two cardholders were not full-time DSU employees, despite policy that states cardholders must be. One employee was in a consulting role, the other was part time.

“Non-employees are not subject to DSU policy, training requirements or normal personnel policies, including termination procedures,” the report states. “There is no control to ensure the return of PCards when a non-employee consultant leaves DSU.”

Additionally, in fiscal year 2018, employment ended for 27 DSU employee cardholders. The audit found that one former employee posted a transaction more than two weeks after the employment termination date at Yankee Candle, for $189.69.

“The expense report and receipt for the charge could not be produced,” the report states.

The audit took issue with unclear writing in policy regarding spending limits, which prohibits single item purchases that exceed $500. The audit found that was not clear, nor was it “systemically enforced.”

“The majority of cardholder purchases that we examined and which exceeded the $500 purchase limit did not show evidence of pre-approval, as required by the policy,” the report states. “The policy, as written, is somewhat confusing.”

Per the policy for card usage, PCards are not meant to be used for personal or private use, travel, transactions over the limit of card, split purchases to stay within transaction limits, entertainment and controllable equipment (such as iPads, computers).

Within the 6,116 transactions, 487 appear to violate the policy restrictions, according to the report. Potential violations amount to $208,540.

“While some of these purchases may be allowable, they lack adequate documentation to allow supervisors to make a determination of what may or may not be allowable,” the report states.

Loss of documentation was a recurring issue in the audit. From the 107 sample items, expense reports could not be located for 21 items, 20%, the report states.

“A deficiency exists in the inconsistent maintenance, tracking and control of source documents related to PCard expenditures,” the report states.

There was also no documentation of training for card usage, the report states.

The audit found that management was unable to provide further detail regarding the purchase of 120 Visa gift cards, totaling $4,180.

“Gift card purchases are inherently risky, using business funds,” the report states. “These items are highly pilferable and readily converted into cash. Failure to have comprehensive policy for tracking distribution of gift cards increases the risk of cardholder fraud and abuse.”

With turnover at DSU, the internal auditor position is vacant at the university. An internal audit on PCards was started, but not approved by the previous president and board, according to the report.

When it comes to documentation, the university wrote in the report that it “recognizes the importance of having an independent internal assessment of purchasing cards.”

“Delaware State University was in the process of hiring an internal auditor before the COVID-19 Pandemic and will continue that process once the current Pandemic has subsided,” officials said in the report. “Currently, Delaware State University is accessing purchase card transactions by utilizing current qualified staff members.”

Dr. Allen added that since becoming president in January, he created a Chief Enterprise Risk Officer role, which reports directly to him. Attorney LaKresha Moultrie, who serves in that position, has “recently selected a new Internal Auditor.”

This story has been updated to reflect a statement from Delaware State University.