The URL can be used to link to this page

Home My WebLink About04.a. Receive Overview of Procurement Card (P-Card) Program Internal ControlsPage 1 of 15 Item 4.a. F--1-448�411C-S0 November 22, 2021 TO: FINANCE COMMITTEE FROM: STEPHANIE KING, PURCHASING & MATERIAL SERVICES MANAGER PHI LIP LEI BER, DI RECTOR OF FI NANCE AND ADMI NI STRATI ON REVIEWED BY: ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE OVERVIEW OF PROCUREMENT CARD (P-CARD) PROGRAM INTERNAL CONTROLS At the September 28, 2021 Finance Committee meeting, during the review of expenditures, Finance Committee Member McGill requested an overview of Purchasing Card program provisions to include who is issued cards, purchase limits, and the approval process of charges. As background, staff presented an overview of Accounts Payable process internal controls on June 22, 2021, which included some provisions related to P-Cards. Also on May 21, 2018, an internal audit of P- Card transactions was presented by Maze & Associates. The General Manager is authorized to administer the P-card program based on Board Policy BP 037 Delegation of Authority to General Manager, Section 12 which states that "The General Manager is authorized on behalf of Central San to enter into credit card agreements and administer the credit card program on behalf of Central San." The procedures for this program are documented in the Procurement Card User Guide which provides comprehensive guidelines for cardholders. New card issuances and changes can only be authorized by the Purchasing Division. New cards are requested through an electronic form (Attachment 1) in DocuSign requiring specific information, including employee number and requested limits. This form is routed for approval to the employee's Supervisor, Division Manager, and Department Director. The form then gets routed to the Purchasing Manager who reviews each new request to ensure that all information has been provided, approvals have been obtained and appropriate limits requested. The form then goes to the Contracts and Procurement Specialist who requests the new card from the bank. Prior to receiving the physical card, the employee must attend procurement card training and sign a Cardholder Agreement (Attachment 2) confirming they will comply with all District policies and procedures when utilizing the card. As of 9/28/21, there were 149 active cards as follows: • CSO — 51 • POD — 42 •ADMIN-29 • ENG — 27 Each cardholder has a single transaction and 30-day purchase limit on their card that can only be modified by Purchasing. Cardholders are unable to exceed their approved limits, which range from $500 to $5,000 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 4 of 167 Page 2 of 15 for a single transaction and $2,000 to $25,000 for a 30-day limit (Attachment 4 lists three exceptions to these limits). Any transaction that exceeds the individual's P-Card limit will automatically be declined at the point of sale. In addition, MCC (Merchant Category Codes) Blocking prevents purchases of specific high risk or cash -related transactions so that any attempts will be automatically declined. The system can also monitor transactions and under certain circumstances, notify the program administrators after the transactions post. One example of this is identifying potential split transactions. If there were an attempt to split a larger transaction into multiple, smaller transactions to circumvent their limit, an automatic notification would alert the program administrators so that they may further investigate and address as necessary. P-Card expenses are entered monthly into the Oracle system by the cardholder or their assigned administrative assistant. The P-card policy specifies that expense reports are due to Finance no later than the 10th day following the statement end date (typically the 22nd or 23rd of the month). All p-card purchases must be accompanied by supporting documentation. P-card transactions cannot be submitted without uploaded supporting documentation unless a "missing receipts" box is selected. In this case, cardholders are required to upload a Justification for Missing Receipt form which must be approved (manually) by their supervisor. All such expense reports must be reviewed and authorized by a cardholder's supervisor. All p-card transactions are also reviewed a designated auditor in the Finance Division prior to posting; the system will disallow any transactions from posting unless they are marked "audited" by that individual. Only specified Finance Division personnel are assigned this role in Oracle. Amongst other criteria, the audit performed by Finance staff includes verifying appropriate approval, that appropriate back-up was attached, that the expense coding is correct, and that the purchase is in accordance with the p-card policy. At the 6/22/21 Finance Committee, a presentation was made that detailed other P-card controls related to the payables processes. Attachment 3 is the presentation for more information on these controls. The P-card program is an important tool that increases efficiencies in the procurement process for micro - purchases. Continuing to enforce and improve controls is vital to the program. The last P-card audit was for the 2017 calendar year and was primarily a transactional audit, however, a more comprehensive P-card audit may be conducted by Internal Audit in the future. Strategic Plan Tie -In GOAL TWO: Environmental Stewardship Strategy 1— Achieve 100% compliance in all regulations GOAL THREE: Fiscal Responsibility Strategy 2 — Ensure integrity and transparency in financial management ATTACHMENTS: 1. Request Form 2. User Agreement 3. Presentation from June 8, 2021 4. P-Card Limits November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 5 of 167 DocuSign Envelope ID: 56A070FC-6E9D-4925-8709-556A9DF51AE3 Attachment 1 Page 3 of 15 LCENTRAL SAN Procurement Card Request/Change Form Request to: 0 Issue New Procurement Card ❑ Make a Change to Existing Procurement Card ❑ Close Procurement Card Account Cardholder's Legal Name Cardholder's Title Cardholder's Employee ID Cardholder's Work Email Geoffrey Niswander Senior HHW Technician 1182 gniswander(a-centralsan.org Cardholder's Work Phone No. 925-335-7785 Will the cardholder book travel on behalf of other employees? Yes X No Department: ❑ Administration x❑ Engineering and Technical Services ❑ Operations Division:_ Environmental & Regulatory Compliance Approving Official Name (Direct Supervisor): David Wyatt Requested Single Purchase Transaction Limit: $3,500 (Complete when requesting new Procurement Card or change to existing card limit. Maximum limit is $5,000) Reason for Change (Complete when requesting changes to existing pcard or closing account) Signatures: Cardholder c,"q t t4 Nswat"hX Date Approving Official �`` �'`�` Date Division Manager Date Department Director Date Purchasing Processing: Purchasing Manager Initials Buyer Initials 9/11 /2021 9/11 /2021 9/12/2021 9/14/2021 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 6 of 167 Attachment 2 Page 4 of 15 CENTRAL CONTRA COSTA SANITARY DISTRICT PROCUREMENT CARD PROGRAM CARDHOLDER AGREEMENT I understand I am being entrusted with a Central Contra Costa Sanitary District (the "District) Procurement Card (the "Card") and will be making financial commitments on behalf of District. This card is being provided to me to enable me to purchase approved materials and supplies for the District and I will strive to obtain the best value for the District. This card is not an entitlement or benefit, nor reflective of title or position. The Card may be revoked at any time at the sole discretion of the District. In return for the purchasing authority delegated to me and in consideration of my responsibility to properly steward public resources, I agree to the following: 1. I agree to comply with the terms and conditions of this Agreement, the Procurement Card User Guide (the "Guide") and all subsequent revisions to the Guide. I acknowledge receipt the Procurement Card User Guide and affirm that I have read, understand and agree to its terms and conditions. I have attended mandatory training regarding usage of the Procurement Card on Training was conducted by: . In this training I was given the opportunity to ask any questions to clarify my understanding of the Procurement Card Program. I acknowledge receipt my Procurement Card. Procurement Card Account # I understand that under no circumstances will I use the Procurement Card to make personal or unauthorized purchases, either for others or myself. Willful intent to use the Procurement Card for personal gain or unauthorized use may result in disciplinary action up to and including termination of employment and prosecution to the extent permitted by law. Should I fail to use the Procurement Card in accordance with this Agreement, I understand that in addition to any disciplinary action that might be taken, I will be required to reimburse the District an amount equal to the total of the improper or unauthorized purchases. I also agree to allow the District to collect any amounts owed by me even if the District no longer employs me. If the District initiates legal proceedings to recover amounts owed by me under this Agreement, I agree to pay legal fees incurred by the District in such proceedings. 4. 1 understand that I will not request or receive cash from suppliers as a result of exchanges or returns. 5. 1 agree to complete, approve and remit a monthly Oracle Procurement Card Expense Report with all applicable information as well as purchase receipts for all transactions. 6. 1 agree to review and reconcile my Procurement Card Monthly Statement (the "Statement") within five (5) days of receipt of the Statement. 7. 1 agree to protect and safeguard the Card and to promptly report any lost or stolen Card. If my Card is lost or stolen, or if I believe another is using my account, I will immediately notify the issuing bank by telephone. I will confirm the telephone notification by mail or facsimile to the issuing bank with a copy to the Procurement Card Program Administrator. I understand that failure to promptly notify the issuing bank and the District of the theft, loss or misplacement of the Card could make me responsible for any fraudulent use of the Card. 8. 1 agree to surrender the Card to my Approving Official or the Procurement Card Administrator immediately upon retirement, termination or upon request. I understand that the use of the Procurement Card after privileges are withdrawn is prohibited. Bank Contact: District Contacts: U.S. Bank 24 Hour Customer Service Program Administrator: Stephanie King Ext. 307 Phone: 800-344-5696 Program Alternate: Chris Newkirk Ext. 352 Billing Official: Nicole Marshall Ext. 325 My signature below indicates that 1 have read and will comply with the terms of this Agreement and the Procurement Card User Guide. Cardholder: Signature: _ Date: Program Administrator: Signature: Date: CC: Human Resources (original) and Cardholder (copy) 9/29/20 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 7 of 167 23 Attachment 3 Central San Accounts Payable Risk Assessment in Oracle Assessment of internal controls over payables cycle, created in response to Finance Committee inquiries at the 12/15/20 meeting Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Supplier Invoice Invoices are not received or 1. Though not strictly enforced by policy, Finance has Finance encourages all divisions to have supplier invoices emailed Manual Processing processed in a timely promoted the centralization of all invoice delivery to a directly to a centralized restricted -access email account monitored manner single shared but restricted access email account by multiple Finance staff daily. Periodically, suppliers will submit 2. A list of recurring bills is maintained and actively invoices directly to the division that oversees their work, which monitored by the Finance Division increases the risk that an invoice may not be received by Finance. Finance personnel could also potentially misplace an invoice after it is received. If a supplier has not been paid for goods delivered or services rendered, they will generally call accounts payable directly, who will research the matter further. As multiple staff are involved in the accounts payable function, Finance maintains a collaborative list of recurring bills. The list identifies all recurring non -PO suppliers and allows staff to see if the invoice was accrued and expensed in the month to which it pertains, or expensed (and paid) in a subsequent month. Invoices are not approved The system has been configured to automatically remind There are automatic approval reminders issued to invoice approvers Automated timely once entered approvers of pending invoices and escalate to the next at the 24 hr and 48 hr mark (business hours). Furthermore, invoices level after a specific time has passed pending approval are automatically escalated at the 72 hr mark. While it is a relatively tight timeframe, and some employees have expressed concern with the shortness, these automated reminder and escalation rules have been generally been proven to be effective to ensure the timeliness of supplier payments. Invoices are not approved The system requires all invoices to be approved by one In critical circumstances, to avoid delinquencies, defaults or other Automated or more authorized personnel prior to both posting and adverse scenarios, the Finance Manager and Accounting Supervisor issuing payment. have the ability to manually override and approve a pending invoice for payment. In these circumstances, the practice is to upload a copy of the subsequent divisional approval of the invoice to the payables module. Manual overrides are rare, and are separately traceable and periodically reviewed by Finance staff. Page 1 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 8 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Invoices are approved by The system requires all invoices to be approved by one System invoice approval workflow configuration works up the Automated the wrong person or more authorized personnel prior to both posting and organizational hierarchy in -line with the invoice approval matrix issuing payment. approved by the General Manager. Workflow is driven by the "requestor" identified by the invoice submitting division or PO (if applicable) and assigned by the AP Accounting Technician. Fictitious invoices are 1. The system requires all invoices to be approved by There are multiple compensating controls in place over this key risk. Automated entered one or more authorized personnel prior to both posting These internal controls are a significant enhancement over the and issuing payment. legacy system's controls as they are built into the configuration of 2. Invoice approval authority is limited to those specified the system, which results in the automatic rejection of a transaction in the master approval authority matrix. unless security parameters are met. Approval limits have been 3. Invoice entry is limited to specific Finance division configured into the Payables module as outlined in an approval personnel who do not approve invoices. matrix enacted by the General Manager. 4. Invoices must be attributable to specific suppliers, and only the Purchasing Manager has the authority to create Accounts Payable staff do not have the authority or ability to suppliers. approve invoices in the system. While Accounts Payable staff can issue supplier registration requests, creation of suppliers must be electronically approved by the Purchasing Manager. Duplicate invoices entered The system prevents duplicate invoices from being This is a basic and standard control for ERP systems, but effective. Automated and approved entered/processed Invoice numbers must be identical for the system to prevent duplicate entries. Page 2 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 9 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Accruals are missed A list of recurring bills is maintained and actively As multiple staff are involved in the accounts payable function, Manual monitored by the Finance Division. Finance maintains a collaborative list of recurring bills. The list identifies all recurring non -PO suppliers and allows staff to see if the invoice was accrued and expensed in the month to which it pertains, or expensed (and paid) in a subsequent month. Unlike for publicly -traded corporations, where interim financial reports must be full accrual and be independently audited, public agencies do not generally enforce strict full accrual accounting for interim reporting. Finance does strive to employ accrual accounting and hold a fiscal month open for a few days at the close of interim months in order to capture all known invoices, however a full accrual close is not strictly enforced for interim months. At year end in July there is a strong emphasis to accrue all applicable invoices back to the prior year to ensure proper cut-off and completeness for the annual audited financial statements. Debit memos are not 1. Invoices are required for all supplier payments. Under most circumstances, invoices are required for all payments Combination tracked or recorded 2. The system requires all invoices to be approved by and Finance staff are instructed not to pay based on supplier one or more authorized personnel prior to both posting statements or debit memo alone. Any debit memos would require and issuing payment. an accompanying invoice with an outstanding balance. In addition, the system requires that all invoices are approved by an authorized party outside of the Accounts Payables function to be posted and paid. Following these rules, any unpaid prior balances must be reviewed, coded, and authorized by an employee with signatory powers. Page 3 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 10 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Purchase returns are not 1. Per Central San Policy, unless specifically pertaining to By policy, centralizing all inbound payments to one function deters Combination properly recorded a permit counter or household hazardous waste employees from being able to accept supplier checks for any transaction, all inbound payments must be directed to returns. The strict documented chain of custody process helps to the attention of "Accounts Receivable" and follow a deter potential forgery and theft of receipts. strict documented chain of custody protocol. 2. All goods invoices connected to a PO must undergo a All returns of "supplies & materials", with the exception of most 3-way match (invoice to PO to goods receipt) prior to office supplies, are managed by the Warehouse (Purchasing payment. The system will not allow payments on PO Division) who are responsible for handling goods and updating supplies invoices that are unmatched. inventory records and are not involved in payment or receipts 3. All goods receipts connected to a PO, including processing. returns, are handled by Warehouse personnel. Receiving report and vendor 1. All goods invoices connected to a PO must undergo a A 3-way match ensures goods ordered are actually received and Combination invoice do not match 3-way match (invoice to PO to goods receipt) prior to recorded prior to issuing a payment on the underlying invoice. 3- payment. The system will not allow payments on PO way matches are required for all purchases of goods and materials supplies invoices that are unmatched. connected to a PO. The system will only allow payment on invoice 2. The functions of invoice approvals, goods receipts, quantities that match to a receipt and only specified personnel in and invoice recording are segregated. the Warehouse (Purchasing Division) are authorized to issue goods receipts and adjust quantities and invoice pricing. Operational divisions requesting goods/services approve invoices (supervisor or higher), the Warehouse (Purchasing Division) receives goods (related to a PO, covering most goods), and Accounts Payable (Finance Division) records invoices/payments. Page 4 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 11 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Issuing Supplier Fraudulent invoices are paid 1. The system requires all invoices to be approved by There are multiple compensating controls in place over this key risk, Combination Payments one or more authorized personnel prior to both posting including controls that are both manual as well as automated. and issuing payment. Approval limits have been configured into the Payables module as 2. Invoice approval authority is limited to those specified outlined in the master approval matrix enacted by the General in the master approval authority matrix. Manager. 3. Payment of all invoices > $2.5k must be reviewed by the Finance Manager. 4. Checks > $2.5k require review/initialing by Director of Finance prior to being delivered to the County for countersignature. Duplicate payments made System prevents duplicate invoices from being System will only allow payments to be issued against validated and Automated entered/processed approved invoices. Once an invoice has been approved and paid, it's status is updated to "paid" preventing further payments from being issued. Unauthorized checks are 1. Access to manual pre-printed check stock is limited to There are multiple compensating controls in place over this risk, Manual issued two key Finance personnel involved in the payables including a combination of manual as well as automated controls. process. Manual checks are stored in a restricted -access location in a safe 2. Cash accounts are reconciled monthly by an with a digital combination with unique access codes issued to Accountant not involved in the AP recording process. authorized Finance personnel. 3. Regular checks are blank stock and must be printed directly out of Oracle. Access to print checks is restricted to specific authorized personnel in Finance Division. 4. Checks > $2.5k require review/initialing by Director of Finance prior to being delivered to the County for countersignature. Page 5 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 12 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Payments are made late or 1. Standard payment terms on contracts at Central San Standardizing payment terms on all Central San contracts allows for Manual missed are "net 30" from the date of invoice receipt. some level of predictability for invoice processing. "Net 30" terms 2. Every check run, all entered and approved invoices are from the date of invoice receipt and supplier payments are normally paid, regardless of the due date. issued weekly (reduced temporarily to bi-weekly during the 3. A list of recurring bills is maintained and actively pandemic). This timeframe generally allows for a sufficient monitored by the Finance Division turnaround time for timely payment processing. Furthermore, Central San has a long-standing past precedent policy of paying all approved invoices every check run, regardless of the due date on the invoice. This also helps reduce the number of entered and approved invoices that become delinquent. Periodically, suppliers will submit invoices directly to the division they work with, which may increase the risk that an invoice is not received by Finance. Finance personnel could also potentially misplace an invoice after it is received. However, if a supplier has not been paid for goods delivered or services rendered, they will call accounts payable directly, who will research the matter further. As multiple staff are involved in the accounts payable function, Finance maintains a collaborative list of recurring bills. This list allows staff to collaborate on the status of recurring bills and shows whether an invoice was accrued and expensed in the month to which it pertains, or expensed (and paid) in a subsequent month. Processing P-card expense transactions On a monthly basis, all US Bank transactions are Previously, it was a manual process to enter p-card transactions per Combination Procurement are incomplete uploaded to Oracle via data import, ensuring all the monthly US Bank report and p-card expense reports into the Card transactions are recorded. accounts payable subledger to pay US Bank. While the import Transactions process is initiated manually, the nature of it being an import helps ensure completeness of expenses. Page 6 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 13 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Cardholders make 1. All p-card expense reports must be reviewed and The Oracle expenses module, which is used to administer p-card Combination unauthorized transactions authorized by a cardholder's supervisor prior to posting transactions, is integrated with the Oracle HCM module enabling 2. The system requires all p-card transactions to be automatic routing of monthly p-card expense reports cardholder audited by a designed auditor in the Finance Division supervisors for approval after submission. Each employee is prior to posting. assigned a unique Oracle identification, so there is a higher 3. All p-card purchases must be accompanied by confidence that the person approving the report is authorized and supporting documentation. does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. P-card transactions cannot be submitted without uploaded supporting documentation unless a "missing receipts" box is selected. In this case, cardholders are required to upload a Justification for Missing Receipt form which must be approved (manually) by their supervisor. Cardholders circumvent The system requires all p-card transactions to be audited While the process of auditing p-card expense reports is manual Combination purchasing policies by a designated auditor in the Finance Division prior to requiring knowledge of the p-card policies and some judgment, the posting. system will disallow any transactions from posting unless they are marked "audited" by a designated Expenses "Auditor". Only specified Finance Division personnel are assigned this role in Oracle. Excessive purchases are Each p-card has an individual purchase limit and a 30 day While the process of assigning a transaction limit is manual Combination made via p-card transaction limit that is established and can only be requiring knowledge of the p-card policies and some judgment, US modified by the Purchasing Division Bank will disallow any transactions in excess of the specified transactional or monthly thresholds. Only specified Purchasing Division staff are authorized to set and change single purchase or 30 day limits. Cards issued to fictitious 1. All new card issuances must be authorized by the By centralizing the authority to issue p-cards to specific assigned Combination employees Purchasing Division. personnel within the Purchasing Division this effectively segregates 2. All p-card expense reports must be reviewed and the duties from the Finance Division, which is responsible for authorized by a cardholder's supervisor prior to posting. auditing and posting transactions. Furthermore, the system has 3. P-card charges must are automatically assigned to been configured to require supervisory approval on all p-cards, existing employees in the system within the HCM which would aid in the detection of any illegitimate p-card charges system. by either a fictitious or terminated employee. Lastly, all p-card charges must be assigned to an employee in the system, and only the Human Resources division, through Oracle HCM, is authorized to create employees. Page 7 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 14 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Fraudulent transactions are 1. To be posted, all p-card expense reports must be The Oracle expenses module, which is used to administer p-card Combination not detected and/or reviewed and authorized by their supervisor. transactions, is integrated with the Oracle HCM module enabling corrected in a timely 2. The system requires all p-card transactions to be automatic routing of monthly p-card expense reports cardholder manner audited by a designed auditor in the Finance Division supervisors for approval after submission. Each employee is prior to posting. assigned a unique Oracle identification, so there is a higher 3. The p-card policy specifies that expense reports are confidence that the person approving the report is authorized and due to Finance no later than the loth following the does in fact supervise the cardholder. Previously, this was entirely statement end date (typically the 22nd or 23rd) manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Amongst other criteria, the audit performed by Finance staff includes verifying appropriate approval, that appropriate back-up was attached, that the expense coding is correct, and that the purchase is in accordance with the p-card policy. Finance has a protocol in place to follow up with cardholders prior to and subsequent to expense reports becoming "delinquent". This process involves an escalation of communications up the chain as time passes. Repeat offenders or cardholders that do not submit a p-card expense report are reported to Purchasing who may revoke card privileges. Page 8 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 15 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Terminated employees 1. Employees are required to relinquish their p-cards to A termination checklist is maintained by Human Resources that Combination making P-card transactions Human Resources during their exit interview. includes the requirement to collect a p-card, if one was issued to 2. All p-card expense reports must be reviewed and the employee. The p-card is then destroyed by Human Resources authorized by a cardholder's supervisor prior to posting. who communicates with the Purchasing Division to deactivate the 3. The Purchasing Division sets single transaction and 30- card. day credit limits and is the only division authorized to do So. The Oracle expenses module, which is used to administer p-card transactions, is integrated with the Oracle HCM module enabling automatic routing of monthly p-card expense reports cardholder supervisors for approval after submission. Each employee is assigned a unique Oracle identification, so there is a higher confidence that the person approving the report is authorized and does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Each cardholder has a single transaction and 30-day purchase limit on their card that can only be modified by Purchasing. This helps to reduce the exposure of any excessive charges incurred by a disgruntled employee approaching termination. Procurement cards are 1. Per the procurement card user guide, all cardholders By delegating the responsibility to report a lost or stolen card upon Combination stolen are responsible for immediately reporting a lost or stolen issuance to cardholders, a missing card can be frozen by the issuing card directly to US Bank, which provides a 24 hour bank immediately, even if it is after business hours or during a hotline. weekend. 2. The Purchasing Division sets single transaction and 30- day credit limits and is the only division authorized to do Each cardholder has a single transaction and 30-day purchase limit so. on their card that can only be modified by Purchasing. This helps to reduce the exposure of any excessive charges incurred by a disgruntled employee approaching termination. Page 9 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 16 of 167 Attachment 3 Business Cycle Business Risk Mitigating Control(s) Comments / Residual Risk Assessment Control Type Supporting receipt evidence 1. To be posted, all p-card expense reports must be The Oracle expenses module, which is used to administer p-card Automated not provided or maintained reviewed and authorized by their supervisor. transactions, is integrated with the Oracle HCM module enabling in system 2. The system requires all p-card transactions to be automatic routing of monthly p-card expense reports cardholder audited by a designed auditor in the Finance Division. supervisors for approval after submission. Each employee is assigned a unique Oracle identification, so there is a higher confidence that the person approving the report is authorized and does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Amongst other criteria, the audit performed by Finance staff includes: verifying approval, reviewing back-up documentation, reviewing expense coding is correct, and verifying the purchase made was in accordance with the p-card policy. Auditor in Finance approves 1. To be posted, all p-card expense reports must be The Oracle expenses module, which is used to administer p-card Automated a disallowed transaction. reviewed and authorized by their supervisor. transactions, is integrated with the Oracle HCM module enabling 2. The Auditor cannot bypass an expense transaction automatic routing of monthly p-card expense reports cardholder that is "disallowed" (rejected) by a cardholder's supervisors for approval after submission. Each employee is supervisor. assigned a unique Oracle identification, so there is a higher confidence that the person approving the report is authorized and does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Page 10 of 10 November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 17 of 167 Page 15 of 15 P-Card Limits General Attachment 4 Each cardholder has a single transaction and 30-day purchase limit on their card that can only be modified by Purchasing. Cardholders are unable to exceed their approved limits, which range from $500 to $5,000 for a single transaction and $2,000 to $25,000 for a 30-day limit. Exceptions There are three exceptions to these limits as follows: Purchasing staff have limits that correspond with their purchase order and contracting authority for use in exceptional circumstances or when suppliers won't accept purchase orders. An example of this is our COVID testing provider, who will not accept purchase orders. Although these higher limits are seldomly used, they are subject to compliance with policies and procedures (i.e., appropriate solicitation requirements have been met or a documented sole source justification has been approved) and are approved by the Purchasing Manager. The limits for Purchasing staff are as follows: a. Contracts and Procurement Specialist - $25,000 single / $100,000 monthly b. Purchasing and Materials Manager - $50,000 single / $200,000 monthly 2. In 2016, the HR Payroll Analyst was issued a "cardless" account solely to be used to pay child support payments to the California State Disbursement Unit. This arrangement was made because other forms of payment were not accepted. There is no single transaction limit, however, the monthly limit is $12,000. 3. The Contracts Specialist in Capital Projects has a single transaction limit of $25,000 and a monthly limit of $75,000. November 22, 2021 Regular FINANCE Committee Meeting Agenda Packet - Page 18 of 167