Audit: City credit card use slowed during pandemic but exposed underlying risks

Photograph of a person typing on a laptop with one hand and holding a credit card in the other hand.
New risks for City-issued credit card misuse emerged when employees began working from home due to COVID-19. We asked: How did compliance with rules, management, and card spending change? We found some issues the City should shore up to prevent misuse.
In this article

City operations changed almost overnight in response to the COVID-19 pandemic. Employees who could work from home shifted City business to their kitchen tables and home offices, and the in-person interactions between coworkers disappeared. Employees who previously locked their City-issued credit cards in office drawers, took them home so they could purchase items and have them shipped to their coworkers.

The pivot to remote work created different risks and opportunities for misuse than when employees worked in City offices. We reviewed City credit card transactions to assess spending trends and compliance with City rules. Most purchases made in June, July, and August 2020 that we reviewed complied, but we also found problems unrelated to pandemic spending that need management’s attention to resolve.

Cards streamline purchasing, but come with risks

The City issues cards to eligible employees to simplify their ability to make purchases of $10,000 or less. Bureaus use cards to purchase goods that frequently need replenishing, such as office supplies; pay dues, or buy items, such as wireless mice for remote work locations. Managers should have safeguards in place to prevent or detect waste, fraud, and misuse of City-issued cards, which are inherent risks. That became more acute during remote work, given that more than 1,200 employees had cards, which were used in Fiscal Year 2019-20 to make almost 70,000 purchases totaling $15.4 million.   

Most of the 11,000 purchases complied with rules

Most of the nearly 11,000 purchases we reviewed that were made over three months of remote work complied with City rules. We found purchases that seemed to violate the rules and from a sample of those, we confirmed that 21 did not comply. Almost half of those involved a prohibited practice of splitting purchases to stay below the cardholders’ credit limit. Three of the split purchases exceeded the state’s small procurement limit of $10,000 and didn’t have the required prior approval of the Chief Procurement Officer. Six purchases involved technology hardware and software bought without the required approval of the Bureau of Technology Services.

But some rules were inaccurate or impractical

The City’s Procurement Services Division created a manual with references to City rules governing card use. The manual contains requirements that cannot be met and others that are not enforced. For example, the manual says:

  • Certain items should be purchased from two recommended vendors even though other vendors are allowed.
  • Cardholders must pass a test on the rules before getting a card, but no such test exists.
  • Cardholders must confirm that vendors are certified as Equal Employment Opportunity employers, but there is no realistic way to verify such a certification.

Recommendations to ensure the procurement manual is accurate and understood:

  1. Procurement Services should update the manual to ensure that the rules it references are accurate and enforceable.
  2. Procurement Services should implement certification and recertification testing to ensure cardholders can demonstrate knowledge of rules.

Some cardholders skipped required technology reviews before purchases

Of the $15.4 million spent by cardholders in Fiscal Year 2019-20 on behalf of the City, nearly $600,000 was for technology hardware and software. Some of those purchases were made without the required review and approval of the Bureau of Technology Services.

The Bureau’s prior approval is intended to ensure products are compatible with the City’s network and to determine if it can provide ongoing technical support and updates. Technology Services also may have access to manufacturers’ discounts. Technology Services will negotiate enterprise agreements and related training if there is enough demand for a product, which could save money and benefit employees Citywide. These goals are undermined when cardholders pay for individual subscriptions and licenses.

Technology Services does not have direct access to Citywide transaction data, so it was not aware of all the purchases made outside of its review process.

Recommendation to enable Technology Services to identify violations:

  1. Procurement Services should ensure that the Bureau of Technology Services has direct access to Citywide procurement card transaction data so it can use the data to identify violations of technology purchasing rules and opportunities to maximize savings.

Authority and responsibility to enforce rules isn’t clear, and where it is, it’s not always happening

Most of the approval and post-purchase reviews of cardholder activity are the responsibility of individual bureaus, which are aided by a payment management system provided by the City’s bank. The Procurement Services Division reviews purchases randomly to ensure they are approved and comply with rules, but the breadth of the review and follow-up with bureaus on questionable purchases varies based on Procurement staff workload and resource constraints. It was unclear the extent to which bureau review processes checked for compliance with cardholder rules set by Procurement. The manual does not say who is responsible for this.

For example, we found evidence that cardholders had split purchases to stay below their transaction limit. The manual states that policy violations like these will result in card suspension or revocation, and possibly termination. Bureaus approved the purchases, and Procurement did not flag them as non-compliant with City rules. Procurement historically has not consistently suspended or revoked cards for such violations. Procurement staff deferred to the bureau-level approval and acknowledged that splitting purchases is sometimes more efficient than making a temporary change to a card’s spending limit.

City Code gives the Accounting Division in the Bureau of Revenue and Financial Services authority to test transactions for compliance. But an Accounting Division manager said it has not had the staff to play a centralized monitoring role until recently.

Without clear responsibility for rule monitoring and enforcement, violations of City rules are not consistently identified and corrected, and cardholders are not notified, coached, or disciplined to stop prohibited purchases.

Recommendations to ensure that monitoring roles are clear and enforcement is exercised:

  1. The Office of Management and Finance should determine who is responsible for monitoring compliance with rules throughout the purchase cycle and ensure they have the appropriate authority to enforce them.
  2. Procurement Services subsequently should update its manuals to incorporate the responsible parties.

Using credit cards to purchase gift cards for volunteers fell in a gray area

Our review found that cardholders purchased nearly $10,000 in gift cards during the three-month period early in the pandemic. The majority were used to reward people who volunteered with the City in various capacities, from filling out a survey to service on a committee. Such purchases were not guided or prohibited by City policies.

Guidance on how bureaus should account for and safeguard gift cards, which are like cash, would protect against their potential for misuse or loss. Individual employees make ad hoc decisions about how much, how often, and for which types of volunteer service to reward with gift cards in the absence of a policy for such activities.

Recommendation to reduce risks related to gift cards:

  1. The Office of Management and Finance should develop a Citywide policy to address the purchase, documentation, safeguarding, and appropriate use of gift cards, including guidance specific to rewarding volunteers.

Pandemic-era card use decreased; Police Bureau spending on food spiked

As expected, spending declined last year compared to 2018-19. Spending fell sharply at the outset of remote work in March and bound back as bureaus made end-of-year purchases in June, the last month of the City’s budget year.

Line graph illustrating spending has been down after the pandemic began in March 2020 compared to the year before.

Citywide spending on food increased 1,506 percent from May to June, jumping from $18,000 to $289,000. The increase was driven by the Police Bureau, which spent $273,000 in June to feed officers during nightly racial justice protests. The Portland Police Association’s contract requires the City to provide meals when officers must eat in a specific location for safety reasons.

Dig deeper into spending trends by visiting our interactive report. This video shows how to get the most out of the report.

Managers from the Office of Management and Finance generally agreed with our audit recommendations

View the response to the audit from Chief Administrative Officer Tom Rinehart and Chief Financial Officer Michelle Kirby.

How we did our work

Our audit objective was to review the City’s procurement card transactions to assess trends and management controls and identify compliance with City rules during remote work.

To accomplish our objective, we:

  • Interviewed staff and managers in Procurement, Accounting, the Bureau of Technology Services, and Bank of America.
  • Reviewed rules referenced in the procurement card manual, procurement card internal controls, reports about and audits of the procurement card program and audits of procurement cards performed by other jurisdictions.
  • Assessed trends in procurement card spending from September 1, 2018 to August 31, 2020, using Power BI. We relied on computer processed data from the Bank of America Works program for audit findings and conclusions. We concluded that the data were sufficiently reliable.
  • Tested 10,522 transactions from June 1-August 31, 2020, for compliance with rules in the procurement card manual using Audit Command Language software. We performed tests to identify purchases in each of the following categories:
    • Prohibited goods and services.
    • Technology related items that bureaus should purchase from preferred vendors.
    • Technology hardware and software that should be reviewed and approved by Technology Services.
    • Purchases from vendors with Merchant Category Codes that are restricted in Works, are on a list of codes Procurement staff reviews, and codes with descriptions indicating the merchant sells prohibited items or services that are not on the program’s list.
    • Purchases from one cardholder to one vendor that over one or two days exceeded $10,000. We relied on a report from Works showing purchases by one cardholder to one vendor on one day that exceeded the cardholder’s single transition limit.
    • Duplicate transactions.
    • Transactions where the cardholder was also the approver.

We selected a non-random sample of potentially prohibited purchases from each type of item or service to explore with Procurement Services Division staff, and, if necessary, with the cardholder’s bureau. The judgmentally selected samples are not statistically valid, so results cannot be projected to the entire population. We chose the three-month timeframe because many employees were working remotely because of the pandemic. Our sample size was chosen based on its reasonableness for follow-up on potential violations.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.