Straight and narrow, Vol. 2, Issue 4 (Apr. 18, 2008)

The STRAIGHT and !"##$%
Office of Internal Audit, Board of Regents of the University System of Georgia, (404) 657-2237

April 18, 2008 Volume 2, Issue 4

The Office of Internal Audit has a position opening for an Auditor I. See the link below for additional details: http://www.usg.edu/employ ment/jobs/index.phtml?jobi d=1322
**Reminder** Audit Finding Status Reports are due to BOR Office of Internal Audit by April 30, 2008.
Progress on BPM Updates: P-Card, Agency Funds and Food BPM Draft Updates have been reviewed and commented on by DOAA and DOAS. Next steps: Obtain SAO comments and submit to Accounting Issues Committee for final review.
Current Version of House Bill 1113 may be viewed at: http://www.legis.state.ga.us /legis/2007_08/sum/hb1113. htm
"Creating A More Educated Georgia"
www.usg.edu

From the Desk of Ron Stark

The Year-End Workshop was held in Athens this year and I enjoyed seeing everyone that attended.
I find that the workshop is a great opportunity for everyone to interact, exchange ideas and learn what's on the horizon. If

this is not your experience, speak up and let us know what would make our yearend workshops more meaningful for you or your staff.
At the workshop, I brought everyone's attention to the penalties for purchasing

malfeasance that are stipulated in House Bill 1113. The discussion was meant to inform, not alarm.
The bill has been sent to the Governor for signing as of this date. If signed, it will apply to all transactions on and after July 1, 2008.

P-Card Audit Recommendations

Last quarter we described some of the issues we noted in our campus PCard Audits. We also provided recommendations for strengthening internal controls. In this article, we share some of the recommendations that were noted in our recently issued final report. The recommendations involve the following areas:
1) supervisory review, approval, and management, 2) documentation, and 3) policies.
1) Supervisory review, approval & management the recommendations were:
a. Strengthen the approval and monitoring process for P-Card activity.

b. Critically review the issuance of P-Cards to ensure that only appropriate personnel are issued P-cards and periodically verify the continuing business need for the card issuance.
c. Limit the number of cardholders for which an approving official is responsible.
d. Mandate initial and refresher training for both cardholders and approving officials.
2) Documentation the recommendations were:
a. Consistently record transactions using a log that captures relevant transaction data and documents the intended business purpose.
b. Maintain accountability for "Give-Away" items provided to students.
3) Policies the recommendations were:

a. Each institution should review its own P-Card policy and ensure that it fully addresses the Department of Administrative Services (DOAS) P-Card policy, the Business Procedures Manual (BPM), and the recommended practices that we identified at each campus. Campus policies should be no less stringent than DOAS and USG policies.
b. Ensure that P-Card purchases are consistent with other governing regulations to include cell phones, information technology purchases, and maintenance/repair purchases.
c. Adhere to competitive procurement requirements when making P-Card purchases.
In the accompanying article on page 4, we address the specific ways that the recommendations may be implemented.

2 The STRAIGHT and !"##$%

How to Incorporate P-Card Risk Management Enterprise-Wide

What do we mean by executive management leadership should incorporate P-Card risk management into an overall institutional risk management framework?
Appropriately managing risk on an enterprise-wide basis is an executive function that involves a cross-functional team comprised of academic, business, student services,

and administrative leadership. While the PCard program may appear to represent predominately a financial risk, there are components of reputational risk, compliance risk, and operational risk. Examples of these risks include negative public perception, noncompliance with laws, rules, and regulations, and

inefficient or inappropriate use of resources. Benefits of an enterprise approach include strategies that may be useful in budgeting, managing finances, managing supplies, securing better pricing, anticipating supply and inventory needs, improving overall purchasing processes, and maintaining a positive public image.

FY2008 Workshop Survey Results

From the Office of Internal Audit Reporting

Here is what attendees had to say about the FY2008 Year-End workshop. Total attendance was 156, with 86 surveys returned.

Overall Workshop Rating:

Excellent

26%

Very Good

55%

Good

17%

Fair

2%

Topics Covered Rating:

Excellent

17%

Very Good

56%

Good

26%

Fair

1%

Meeting Venue Rating:

Excellent

38%

Very Good

41%

Good

16%

Fair

5%

Materials Provided Rating:

Excellent

28%

Very Good

42%

Good

23%

Fair

6%

Poor

1%

Workshop Meals/Breaks:

Excellent

50%

Very Good

42%

Good

7%

Fair

1%

Topics for future workshops: P-Card updates SAS 112 update V8.9 update Scholarship Allowance AFR Note 6 Changes due to PS 8.9 Concerns for 2008 reporting 2008 Audit findings & Errors Plant contract accounting Grant accounting Component Unit, Aux. Rptg General Comments: More leadership from BOR Locate workshop centrally Video-conference instead Don't rush, don't read Publish materials sooner More comprehensive trng. More AIC representation

Department

AFR Reporting How did we do?

The Department of Audits and Accounts provides all of the Significant Adjustments and Uncorrected Misstatement details for the System to the Board of Regents, as required by SAS 114.
BOR Reporting will send out the details to the respective institutions with guidance for record-

ing or preventing in 2008.

Here are the numbers and dollars:

Significant Adjustments:

FY2007:

16

FY2006:

27

Uncorrected Misstatements:

FY2007:

141

FY2006:

100

Profit/(Loss) impact:

Significant Adjustments:

FY2007:

($292,320)

FY2006:

$11,159,909

Uncorrected Misstatements:

FY2007:

($5,049,166)

FY2006:

($15,742,105)

3 The STRAIGHT and !"##$%

3

Statement of Ethical Values Where to Begin?

House Bill 1113 lists multiple requirements pertaining to the State of Georgia Purchasing Card Program. While the bill has not yet been signed by the Governor, it did pass both houses of the legislature. One requirement enumerated in the bill as currently written is that: "Each employee receiving a purchasing card shall be required to sign an ethical behavior agreement for the use of the card which shall be developed by the department."
The purpose of this article is to discuss some of the factors that institutions should consider if required to implement this particular point of the law. Factors discussed in this article include the State of Georgia Code of Ethics and Board of Regents policies and procedures. Note that Institutions should consult legal counsel when interpreting or applying the law.
State of Georgia Code of Ethics The State of Georgia Code of Ethics as published in O.C.G.A. 45-10-1 is as follows:
Any person in government service should:
I. Put loyalty to the highest moral principles and to country above loyalty to persons, party, or government department.
II. Uphold the Constitution, laws, and legal regulations of the United States and the State of Georgia and of all governments therein and never be a party to their evasion.
III. Give a full day's labor for a full day's pay and give to the performance of his duties his earnest effort and best thought.
IV. Seek to find and employ more efficient and economical ways of getting tasks accomplished.
V. Never discriminate unfairly by the dispensing of special favors or privileges to anyone, whether for remuneration or not, and never accept, for himself or his family, favors or benefits under circumstances which might be construed by reasonable persons as influencing the performance of his governmental duties.
VI. Make no private promises of any kind binding upon the duties of office, since a government employee has no private word which can be binding on public duty.
VII. Engage in no business with the government, either directly or indirectly, which is inconsistent with the conscientious performance of his governmental duties.
VIII. Never use any information coming to him confidentially in the performance of governmental duties as a means for making private profit.
IX. Expose corruption wherever discovered.
X. Uphold these principles, ever conscious that public office is a public trust.
It should become clear upon reviewing the State Code of Ethics that it does not deal directly with some of the ethical considerations applicable to P-Cards. Perhaps more relevant are the Conflict of Interest provisions contained in O.C.G.A. Article 2 of Chapter 10 of Title 45. For example, O.C.G.A. 4510-23 prohibits "any full-time employee, for himself or on behalf of any business, or for any business in which such employee or member of his family has a substantial interest to transact any business with the agency by which such employee is employed." The law goes on to provide some exceptions applicable to the Board of Regents pertaining to our affiliated organizations (Foundations, etc.). However, the law would

clearly prohibit an employee with a P-Card from making an otherwise legitimate purchase from a company in which the employee or a family member has a "substantial interest."
In summary, there are certainly elements of state law that speak directly to purchasing card usage that should be included in an ethical behavior agreement.
Board of Regents Policies and Procedures
Numerous policies and procedures specific to the Board of Regents govern the ethical behavior expected of USG employees. For example, note the following excerpts from BOR Policy Manual Section 802.14:
An employee of the Board of Regents shall not directly or indirectly solicit, receive, accept, or agree to receive a thing of value by inducing the reasonable belief that the giving of the thing will influence his/her performance or failure to perform any official action. The acceptance of a benefit, reward or consideration where the purpose of the gift is to influence an employee in the performance of his/her official functions is a felony under O.C.G.A. 16-10-2.
An employee of the University System of Georgia or any other person on his/her behalf, is prohibited from knowingly accepting, directly or indirectly, a gift from any vendor or lobbyist as those terms are defined in Georgia statutes (O.C.G.A. 21-5-70(6) and 45-1-6(a)(5)b). If a gift has been accepted, it must be either returned to the donor or transferred to a charitable organization.
B. Appearance of Conflicts of Interest An employee shall make every reasonable effort to avoid even the appearance of a conflict of interest. An appearance of conflict exists when a reasonable person will conclude from the circumstances that the employee's ability to protect the public interest, or perform public duties, are compromised by personal interest. An appearance of conflict can exist even in the absence of a legal conflict of interest. Employees are referred to State Conflict of Interest Statutes O.C.G.A. 45-10-20 through 45-10-70 and Board of Regents Policies 802.16 through 802.1603 and institutional policies governing professional and outside activities.
The Business Procedures Manual also addresses some potential "ethical" issues. BPM Section 3.5 prohibits personal use of procurement channels absent a "specific and approved exemption." BPM Section 9.1.6 restricts service on financial institution governing boards by certain institutional officials in those instances where a commercial relationship exists. These are just a few examples of the ethical limits on personal behavior imposed by the Board of Regents.
Conclusion
An institutional purchasing card ethics policy designed to address purchasing card usage certainly should consider including relevant points from both state law and BOR policies and procedures. Additionally, the prohibited purchases as contained in the Georgia Department of Administrative Services purchasing card policy and BPM Section 3.3 should be considered for incorporation in the purchasing card ethics policy. Finally, the institution may wish to include a reference to all other governing laws, rules, and regulations that pertain to purchasing card usage and procurement activities. A wellwritten ethics policy can both serve to protect the institution while also educating employees on what behavior is required.

4 The STRAIGHT and !"##$%

Suggestions on Implementation of P-Card Audit Recommendations

Below we provide explanations on how best to implement the P-Card Audit recommendations. The references refer to the items noted in the accompanying article on page 1.
1.a. Employees performing the review function should be in a supervisory role. Additionally, department managers should monitor their budgets for unusual patterns or unexpected "spikes" of activity. A satisfactory review should include a manual review of P-Card receipts, receiving documents, etc. in addition to an online Bank of America WORKTM review.
1.b. Management should play an active role in 1) determining which employees are provided P-Cards, 2) establishing transaction and spending limits for cardholders based on their purchasing needs, 3) re-evaluating transaction and spending limits periodically, and 4) reviewing P-Card activity for volume. Activity thresholds should be established and P-Cards deactivated when activity is below the threshold.
1.c. A maximum number of cardholder's activity reviewed by approvers should be established. Approvers should not be responsible for reviewing more than seven to ten P-Cards.
1.d. Training of cardholders, approving officials, and the institution P-Card coordinator must be ongoing and mandatory. Individual cardholders and approving officials should be required to attend initial training prior to issuance of a PCard and refresher training. Participation should be documented. Failure to participate in refresher training should result in card suspension or revocation. Additionally, institutions should ensure that PCard coordinators are subject matter experts on P-Card laws, policies, rules, and regulations.
2.a. The business related purpose of each purchase should be documented to provide accountability. Adequate documentation should be prepared and retained that

supports the nature and business related purpose of transactions. The documentation should provide a clear and unambiguous record of compliance with all applicable procedures and guidelines. Each cardholder should maintain a log for review by the cardholder's approving official that details: a) purchase made by the cardholder, b) vendor's name, c) item(s) purchased, d) date of purchase, e) amount of purchase, f) name of employee making the purchase, g) business purpose for the purchase, and h) signature by the cardholder attesting to accuracy of the log and signature by the reviewer validating his/her review.
2.b. There are instances when it is appropriate to provide items to students in order to encourage participation in sanctioned campus events and as promotional items. The institution should establish the proper controls to ensure that only students or potential students receive these items and that the distribution is properly documented. Institutions must comply with the provisions of the State Constitution that forbid gratuities by state government.
3.a. Each institution should review its own PCard policy and ensure that it fully addresses the DOAS P-Card policy, the BPM, and the recommended practices that we identified at each campus. Campus policies should be no less stringent than DOAS and USG policies.
3.b. There are various P-Card purchases that are integral to operation of major university functions/areas. Examples include Communications, Information Technology, and Physical Plant. These purchases must comply not only with the rules related to the P-Card program but also their own specific policies and procedures. Prior to the P-Card purchase in any of these areas, controlling rules, regulations, and guidelines should be reviewed and adhered to.
3.c. Multiple individuals purchasing items on behalf of an institution may inadvertently result in violations of the state's competitive procurement requirements. Each institution should closely monitor ongoing P-Card activity and historical P-Card activity so as to identify purchases that should be competitively procured.

Board of Regents of the University System of Georgia Office of Internal Audit 270 Washington Street S.W. Atlanta, GA 30334-1450 Phone (404)657-2237 Fax (404) 651-9444
"Creating A More Educated Georgia"
www.usg.edu
We're on the Web! See us at: www.usg.edu/offices/audit .phtml