Quarterly Purchasing Card Administrators’ Meeting Thursday, May 17, 2012 – 9:00-Noon Winewood Office Center, Building 4 AGENDA Introductions Special Presentations Rachael Lieblick, DFS—Statewide Vendor File Discussion Outstanding Items ITN Update Insurance for Non-state Rental Vehicles New Items Third Party Payers Overrides—Process Rep Letter—Draft Decline Reports—Discussion PCard Website Update Waiver of Liability Reminder Emergency Real-time Changes Reminder Questions/Other Discussion REMINDER Next Meeting: August 15, 2012 Quarterly Purchasing Card Administrators’ Meeting Minutes Thursday, May 17, 2012 – 9:00-11:15 Winewood Office Center, Building 4 Facilitator: Marie Walker Introductions Special Presentations Rachael Lieblick, DFS—Statewide Vendor File Discussion o The Statewide Vendor File (SWVF) currently contains 280,000 vendors with unique taxpayer IDs - 50,000 of those vendors have valid W-9s on file. o The SWVF Group recently submitted a sample of PCard vendors to the IRS to determine if the vendors’ information matched. Only 25% of the vendors were invalid with the IRS file – either the name or ID not on file. o Within the next month, the SWVF Group plans to: send out surveys to users with access to the SWVF. The results of the surveys will help the group shape policies and create training documents. begin Vendor Add monitoring. Weekly e-mails will be sent to users adding ―questionable‖ vendors, such as vendors marked ―Confidential‖ or given ―N‖ numbers. o Majority of Vendor Adds are ―Confidential‖ and ―N‖ vendors. o W-9s are not required for adding PCard vendors. o DFS does not accept paper W-9s. Vendors must register W-9 online. http://www.myfloridacfo.com/aadir/SubstituteFormW9.htm o The registration is a two-step process. The vendor must first register with DFS, then file the W-9. o After the vendor registers a W-9, the process typically takes 24-48 hours to finalize. o Additional discussion: Since IRS has responsibility for 1099 reporting for PCard transactions, why not get bank to transmit information to us? Rachael (RL): Information may not be available with current contract. Suggestion was made to not use Vendor ID in PCM. RL: Suggestion has been elevated to management, but Vendor ID is required for transparency purposes. Suggestion was made to create standardized ―N‖ numbers for one-time vendors, such as taxi, small gas stations, etc. One agency asks cardholders to use large corporate gas stations whenever possible. RL: Ask approvers to use the correct vendor name, not necessarily the location of the purchase. Suggestion was made to create a task force to discuss policy recommendations after the results of the surveys are received. RL: DFS is anxious to get policies out quickly, not sure if time will allow for task force meetings. 1|P age o The Statewide Vendor File Group is available to help find the correct vendor ID. The contact information for the group is: (850) 413-5987 statewidevendorfile@myfloridacfo.com Outstanding Items ITN Update - DFS has been ―white-boarding‖ with DMS to help them understand the current process. DMS has asked Christina Smith (Director, DFS’s Division of Accounting and Auditing) to appoint people to serve on a work group to re-write the Statement of Work. Insurance for Non-state Contract Rental Vehicles - There has been no resolution to the issue, which is two-part: o There is no authority to pay for insurance on non-state contract rental vehicles. o Division of Risk Management suggests paying for it. Marie plans to discuss this issue with management at the monthly meeting in June. New Items Third Party Payers – This is an amazingly complex issue. New technology allows for card processing services to be attached to cell phones and is cheaper for small businesses to use, so the number of competing services is increasing. (See PowerPoint slides for examples of the new technology provided by third party payers.) Some of the latest third party payers include: o GoPayment o Square.com (Shown in FLAIR as SQ*) o Google Wallet When determining how to deal with third party payers, the PCard program will need to balance between transparency needs and the agencies’ need to do business. Overrides Process - Overrides can be requested for excluded MCCs, but not for credit limits. For MCC overrides, the Agency Administrators must email Marie or Michelle the following: Cardholder Name Last 8 digits of card number Vendor Amount of transaction Reason for purchase An email is necessary to provide file documentation of the override. The request will be processed ASAP; however, if the override is time sensitive, call Marie or Michelle after emailing the request. When the Statewide Office is fully staffed, the email will be sent to the central email account; Administrators will be notified when the process changes, Rep Letter (Draft) (See PowerPoint of the latest draft of the Rep Letter.) – DFS plans to require the Rep Letter to be filed on a fiscal year cycle. Based on feedback, 2|P age the letter will include two sections that will deal with the following optional program components: o Emergency cards – provide the agencies with the following options: The agency has emergency cards without cardholder names and is willing to accept the risk associated with not having a cardholder attached to a card. The agency has emergency cards with cardholder names and the cards are properly secured. The agency does not have emergency cards. o Travel agents – provide the agencies with the following options: The agency uses internal travel agents, which are addressed in the agency’s PCard plan. The agency follows the procedures included in the plan. The agency does not include internal travel agents in the PCard plan and does not allow cardholders to charge travel for others. The letter will also be revised to allow for an agency to use its own reconciliation reports, as long as the reports have been reviewed by DFS. Decline Reports—A majority of the Administrators agreed the Decline Reports are useful and asked if the reports could be distributed daily, instead of weekly. The reports will be provided daily once the Statewide Office is fully staffed. PCard Website Update (See PowerPoint showing the latest enhancements of the PCard website.) – The updated website was released the day of the meeting (5/17/12). The website includes two new reports, Credit Limit vs. Charge Total Comparison and Sales Receipt Information. The Sales Receipt Information report includes level 3/line item detail of the transaction. The new reports do not require OLOs to be entered, as they are governed by the user’s RACF ID. Waiver of Liability Reminder – Agencies may be able to get credit from Visa for fraudulent purchases made by employees. The agency must follow the process with strict deadlines, including firing the employee. The Waiver of Liability information is available on the PCard website. Administrators should be aware of requirements. Emergency Real-time Changes Reminder - Hurricane Season is coming! The procedure and form for making real-time changes in a Governor Declared Emergency are on the website. Administrators should plan ahead as much as possible. If a hurricane is in the forecast, Administrators should make changes in the module. Keep in mind that if phones are down, the Administrators may not be able to get through to the bank to make real-time changes. Remember—an emergency for a cardholder does not make it a true emergency. 3|P age Questions/Other Discussion o Payment of Service Fees —There is no authority to pay for service fees, such as those charged by utilities. Marie plans to discuss this topic with management at the monthly meeting in June. o Updating MCC Codes —There have been codes added to the bank’s list through the years that have never been added to the PCard Module. The Statewide Office will be reviewing to determine which MCCs are allowable, restricted, and prohibited and will update the MCC file in FLAIR. Once the review is complete, the updated list will be sent to the Administrators and posted to the PCard website. o Meeting Website—All meeting materials are posted on the PCard Quarterly Meetings website (http://www.myfloridacfo.com/aadir/PurchasingCard/PCardMeetings.htm) for the convenience of the Administrators, including call-in information, agenda, minutes, and handouts. o Access Control—The PCard Administrator must not be the agency’s access control custodian. For the agency and the Administrator’s protection, the Administrator should not set up access and reset passwords. It violates separation of duties control. If an auditor were to perform and internal controls audit, having those two duties assigned to the same person would result in an audit finding. o Administrators’ Access and Activity – DFS has a report available to management to determine employees’ access and activity. The Statewide Office will determine if similar reports are available to agencies. This may help agencies with the statement on the Rep Letter related to monitoring the agency administrator. The Statewide Office may request organizational charts from the agencies to help identify the Agency Administrators’ supervisors. DOT suggested using a third party to monitor Administrators’ activities. Discussion also included the possibility of a workgroup to determine best practice for monitoring Administrators’ access and activity. Department of Revenue monitoring methodology has been attached to these minutes as an example of what one agency is doing. o Online Travel Agencies (Expedia, Travelocity, etc.) – Angela Pereira said DMS has received conflicting information regarding the use of online travel agencies, due to the fees charged. Other agencies have had the following issues with online vendors: Non-acceptance of tax-exemption number Advance payment for hotels Reservation cancellation The Administrators were advised to keep the best interest of the state in mind and use the most economical means for making travel arrangements. o Gas for Rental Vehicles – Diana Blue, DBPR, asked if fuel could be purchased with the PCard when renting vehicles from any contract vendor (not just Avis), such as Enterprise trucks. A new CFOM has been 4|P age o o drafted to include fuel for all rental vehicles used for state business. The Administrators will be notified once the CFOM is approved. Copying PCards at Hotels for DOR Requirements – Department of Revenue requires that hotels make a copy of the PCard and keep it on file to support the tax exemption. DOR has been unwilling to reconsider this requirement in the past. Marie plans to discuss this issue with management at the monthly meeting in June. DMS’s Tax-Exempt Number – Cardholders have been questioned about DMS’s tax-exempt number being on the cards for other agencies. During the negotiations for the new contract, the Statewide Office will determine if each agency’s tax exempt number can be imprinted on the PCards for that agency. Angela Pereira, DMS Administrator, receives tax-exempt verification requests from vendors daily. REMINDER Next Meeting: August 15, 2012 5|P age Review of PCard Administrator’s Work By Robert Notman, DOR Agency Purchasing Card Administrator Several years ago in a meeting with Crystal Read and Mark Merry, I was asked, “Who in your agency is watching or reviewing what you do?” “Who is ensuring you are not creating cards for personal gain, etc.?” I must admit that I was taken aback by this. It never occurred to me to think like a criminal. But I wasn’t offended, only surprised. This was the first time that I recall ever having been asked something like this by DFS. Promptly upon returning from this meeting, I proposed to my supervisor that we have a report created in MRE that lists all of the new cardholders and then have someone run those names in a query against a PeopleFirst employees list. If there were any anomalies, I would be tasked to explain them or justify what happened. Initially, I created the MRE report to get the idea going. It was then handed over to a different section not controlled by the Purchasing Card Administrator. When the report ran, it was originally sent to my staff person to run the matches. A copy was also sent to an outside party so that the result could be compared to ensure that I wasn’t influencing the results through my staff member. Later we were able to move the function totally outside of my control. How has this worked? Every month an outside staff member receives the two reports (one from MRE and one from PeopleFirst) and does a data match. I can recall only one instance when there wasn’t a match. In this particular case, an employee had requested a card and, by the time it was issued, he had resigned. So based on the initial reports, it looked like we had issued a card to a non-employee. The report looks at the cardholders created by all of the DOR PCard Administrators. At some point we should also consider including looking at all new persons added to FLAIR to ensure they are in fact employees. Right now we focus on cardholders as we believe this is where the greatest risk could be. All agencies should consider having something like this in place. It protects both the PCard Administrator and the agency. 6|P age June XX, 2012 Chief Financial Officer State of Florida Florida Department of Financial Services 200 East Gaines Street Tallahassee, Florida 32399-0354 Dear CFO Atwater: We are providing this letter to you in connection with our agency’s Purchasing Card Program. We make the following representations to you based on our best knowledge and belief. We have established and are maintaining a system of effective internal controls to prevent and detect waste, fraud, and abuse within our Purchasing Card Program. These internal controls include the following measures: We have established effective internal controls related to our agency’s Purchasing Card Program to provide reasonable assurance that we are managing the program in compliance with laws and regulations. We have procedures that ensure that all employee cardholders are trained on the proper uses of the Purchasing Cards prior to card issuance. The employee cardholders acknowledge their training, responsibilities, and understanding by signing cardholder agreements with maintained by the Agency Purchasing Card Administrator. We have procedures to ensure that all employee accounts for cardholders who leave the agency or are no longer eligible for a Purchasing Card, for any reason, are timely promptly deactivated from through the FLAIR Purchasing Card Module. We have proper segregation of duties between cardholders, approvers, and the monthly reconcilers. Our Agency Purchasing Card Administrator has not been assigned any conflicting duties, such as FLAIR Access Control Custodian. We have procedures to ensure all employee cardholders’ transactions are properly approved by supervisors or managers who have direct knowledge that the transactions are in compliance with law and are valid obligations of the State. We have procedures to ensure all transactions are documented by employee cardholder signed and dated receipts or the equivalent. These records and other supporting documentation are kept on file in the agency to validate purchases. We have procedures to ensure all FLAIR Purchasing Card Module reports of employee cardholder activity are reconciled against receipts and any other purchasing documents at Comment [MW1]: Robert Notman has requested addition of: “or other DFS-approved” least monthly. This reconciliation is completed within10 days after the close of the business period. We have appropriate security in place to protect Purchasing Card Program information, such as account numbers and expiration dates. We have procedures to ensure all emergency Purchasing Cards are maintained by the agency and are safeguarded to prevent unauthorized access and use. We have procedures to ensure the Purchasing Card Administrator is effectively monitoring our agency’s Purchasing Card Program by maintaining accurate FLAIR Purchasing Card Module administrative records and verifying that transactions are timely processed within the ten calendar days of receipt in the Purchasing Card Module. We have procedures to ensure the Purchasing Card Administrator function is periodically reviewed by our agency’s management to ensure that all employee cardholder information within the FLAIR Purchasing Card Module is properly authorized and documented. We have periodic audits/reviews by the agency’s Office of Inspector General to determine if established internal controls are functional and effective. Sincerely, Comment [MW2]: Marianne Hinchee commented that the Paid Charges report is not available until the 8th of the month. Therefore, completion by the 10th is not reasonable. Comment [MW3]: Marianne Hinchee commented that her agency does not utilize emergency cards. PCard Web Site New and Improved Look PCard Main Screen Top Links • About PCard – About explains some of the history of pcard – Website explains the use of the website – Access explains what is needed to access reports • PCard Resources – Lists any links to memos or other documents related to pcard • Additional Links – Contains links to MRE, IW Dictionary and other documents that may be necessary for use with the website. • Administrator Use Only – Access to the content only available to PCard Admins • Comments/Suggestions – Use this to get messages to the Statewide PCard staff. If you have problems or need assistance you should contact the DFS Helpdesk at (850) 4133190. • Any items with a lock means that a RACF id and password is required. PCard Admin Screen Report Input Screen Purchasing Card Report Descriptions Charge Reports Agency Voucher Report: Lists the payments by SWDN and agency voucher number. Fields displayed on the report are SWDN, agency document number, cardholder, merchant, invoice number, distribution line number, charge date, add date and amount. Drill down on SWDN to get warrant information. Paid Charges: Lists all of the paid charges for a selected period. An additional parameter will provide paid charges with dispute codes only. Fields displayed are group, cardholder name, Person Id, invoice number, charge amount, merchant, charge date, distribution line number, transaction amount, transaction date, add date, ORG code, charge age (in days), dispute code and dispute description. Drill down on invoice number to see warrant information. Reconciliation Report: Lists all of the P-Card transactions for a selected period. Fields displayed are group code, group description, cardholder name, charge amount, merchant, charge date, add date, transaction amount, approval status, charge rejection code and charge rejection description. Sales Receipt Information: Provides detail information from sales receipts of charges. Two input options are available to query data: Invoice number and charge dates. Optional parameters include vendor name, group code, person id and cardholder last name. Drilldown on invoice number for distribution line information. Unpaid Charges (Aging): Lists all of the unpaid charges. Optional parameters include multiple age ranges for viewing unpaid charges (>= 8 days, >= 10 days, >=20 days, etc.) and viewing disputed unpaid charges only. Fields displayed are OLO, group, cardholder name, merchant, invoice number, charge amount, charge date, add date, approval status, change date, age (in days), charge rejection code, charge rejection description. Cardholder Reports Active Cardholders: Lists all of the active cardholders for the selected agency. Fields displayed are group code, group name, card sequence number, person id, last name, first name, middle initial, count of the active cardholders for the group and the agency. Drill down on person id for the SIC Set information for the cardholder. Drill down on Date Updated: May 15, 2012 Page 1 group code to get all cardholders for the group and then drill down on cardholder name for the SIC set information. Active Cards with No Charge Activity: Provides a listing of only those active cardholders with no charge activity based on the period of non-activity selected below and current date (ex: never used, no activity within 3 months, no activity within 6 months, etc). Report also provides card issue date and number of days since card was issued. Administrative Reports Card Limit – Charge Total Comparison: Provides a comparison of credit limit, charge total, and percentage of card limit by cardholder. Options for the Comparison type are monthly and daily. An ‘Over Card Limit’ option will only display cardholders who have exceeded their card limit. Miscellaneous Reports Vendor Address Information: Lists vendor (merchant) information for a given invoice number. Fields displayed are invoice number, group code, person id, cardholder name, MCC, charge amount, merchant (vendor), merchant city, merchant state, merchant zip, merchant country. Date Updated: May 15, 2012 Page 2