Quarterly Purchasing Card Administrators’ Meeting Minutes Thursday, May 17, 2012 – 9:00-11:15 Winewood Office Center, Building 4 Facilitator: Marie Walker Introductions Special Presentations Rachael Lieblick, DFS—Statewide Vendor File Discussion o The Statewide Vendor File (SWVF) currently contains 280,000 vendors with unique taxpayer IDs - 50,000 of those vendors have valid W-9s on file. o The SWVF Group recently submitted a sample of PCard vendors to the IRS to determine if the vendors’ information matched. Only 25% of the vendors were invalid with the IRS file – either the name or ID not on file. o Within the next month, the SWVF Group plans to: send out surveys to users with access to the SWVF. The results of the surveys will help the group shape policies and create training documents. begin Vendor Add monitoring. Weekly e-mails will be sent to users adding ―questionable‖ vendors, such as vendors marked ―Confidential‖ or given ―N‖ numbers. o Majority of Vendor Adds are ―Confidential‖ and ―N‖ vendors. o W-9s are not required for adding PCard vendors. o DFS does not accept paper W-9s. Vendors must register W-9 online. http://www.myfloridacfo.com/aadir/SubstituteFormW9.htm o The registration is a two-step process. The vendor must first register with DFS, then file the W-9. o After the vendor registers a W-9, the process typically takes 24-48 hours to finalize. o Additional discussion: Since IRS has responsibility for 1099 reporting for PCard transactions, why not get bank to transmit information to us? Rachael (RL): Information may not be available with current contract. Suggestion was made to not use Vendor ID in PCM. RL: Suggestion has been elevated to management, but Vendor ID is required for transparency purposes. Suggestion was made to create standardized ―N‖ numbers for one-time vendors, such as taxi, small gas stations, etc. One agency asks cardholders to use large corporate gas stations whenever possible. RL: Ask approvers to use the correct vendor name, not necessarily the location of the purchase. Suggestion was made to create a task force to discuss policy recommendations after the results of the surveys are received. RL: DFS is anxious to get policies out quickly, not sure if time will allow for task force meetings. 1|P age o The Statewide Vendor File Group is available to help find the correct vendor ID. The contact information for the group is: (850) 413-5987 statewidevendorfile@myfloridacfo.com Outstanding Items ITN Update - DFS has been ―white-boarding‖ with DMS to help them understand the current process. DMS has asked Christina Smith (Director, DFS’s Division of Accounting and Auditing) to appoint people to serve on a work group to re-write the Statement of Work. Insurance for Non-state Contract Rental Vehicles - There has been no resolution to the issue, which is two-part: o There is no authority to pay for insurance on non-state contract rental vehicles. o Division of Risk Management suggests paying for it. Marie plans to discuss this issue with management at the monthly meeting in June. New Items Third Party Payers – This is an amazingly complex issue. New technology allows for card processing services to be attached to cell phones and is cheaper for small businesses to use, so the number of competing services is increasing. (See PowerPoint slides for examples of the new technology provided by third party payers.) Some of the latest third party payers include: o GoPayment o Square.com (Shown in FLAIR as SQ*) o Google Wallet When determining how to deal with third party payers, the PCard program will need to balance between transparency needs and the agencies’ need to do business. Overrides Process - Overrides can be requested for excluded MCCs, but not for credit limits. For MCC overrides, the Agency Administrators must email Marie or Michelle the following: Cardholder Name Last 8 digits of card number Vendor Amount of transaction Reason for purchase An email is necessary to provide file documentation of the override. The request will be processed ASAP; however, if the override is time sensitive, call Marie or Michelle after emailing the request. When the Statewide Office is fully staffed, the email will be sent to the central email account; Administrators will be notified when the process changes, Rep Letter (Draft) (See PowerPoint of the latest draft of the Rep Letter.) – DFS plans to require the Rep Letter to be filed on a fiscal year cycle. Based on feedback, 2|P age the letter will include two sections that will deal with the following optional program components: o Emergency cards – provide the agencies with the following options: The agency has emergency cards without cardholder names and is willing to accept the risk associated with not having a cardholder attached to a card. The agency has emergency cards with cardholder names and the cards are properly secured. The agency does not have emergency cards. o Travel agents – provide the agencies with the following options: The agency uses internal travel agents, which are addressed in the agency’s PCard plan. The agency follows the procedures included in the plan. The agency does not include internal travel agents in the PCard plan and does not allow cardholders to charge travel for others. The letter will also be revised to allow for an agency to use its own reconciliation reports, as long as the reports have been reviewed by DFS. Decline Reports—A majority of the Administrators agreed the Decline Reports are useful and asked if the reports could be distributed daily, instead of weekly. The reports will be provided daily once the Statewide Office is fully staffed. PCard Website Update (See PowerPoint showing the latest enhancements of the PCard website.) – The updated website was released the day of the meeting (5/17/12). The website includes two new reports, Credit Limit vs. Charge Total Comparison and Sales Receipt Information. The Sales Receipt Information report includes level 3/line item detail of the transaction. The new reports do not require OLOs to be entered, as they are governed by the user’s RACF ID. Waiver of Liability Reminder – Agencies may be able to get credit from Visa for fraudulent purchases made by employees. The agency must follow the process with strict deadlines, including firing the employee. The Waiver of Liability information is available on the PCard website. Administrators should be aware of requirements. Emergency Real-time Changes Reminder - Hurricane Season is coming! The procedure and form for making real-time changes in a Governor Declared Emergency are on the website. Administrators should plan ahead as much as possible. If a hurricane is in the forecast, Administrators should make changes in the module. Keep in mind that if phones are down, the Administrators may not be able to get through to the bank to make real-time changes. Remember—an emergency for a cardholder does not make it a true emergency. 3|P age Questions/Other Discussion o Payment of Service Fees —There is no authority to pay for service fees, such as those charged by utilities. Marie plans to discuss this topic with management at the monthly meeting in June. o Updating MCC Codes —There have been codes added to the bank’s list through the years that have never been added to the PCard Module. The Statewide Office will be reviewing to determine which MCCs are allowable, restricted, and prohibited and will update the MCC file in FLAIR. Once the review is complete, the updated list will be sent to the Administrators and posted to the PCard website. o Meeting Website—All meeting materials are posted on the PCard Quarterly Meetings website (http://www.myfloridacfo.com/aadir/PurchasingCard/PCardMeetings.htm) for the convenience of the Administrators, including call-in information, agenda, minutes, and handouts. o Access Control—The PCard Administrator must not be the agency’s access control custodian. For the agency and the Administrator’s protection, the Administrator should not set up access and reset passwords. It violates separation of duties control. If an auditor were to perform and internal controls audit, having those two duties assigned to the same person would result in an audit finding. o Administrators’ Access and Activity – DFS has a report available to management to determine employees’ access and activity. The Statewide Office will determine if similar reports are available to agencies. This may help agencies with the statement on the Rep Letter related to monitoring the agency administrator. The Statewide Office may request organizational charts from the agencies to help identify the Agency Administrators’ supervisors. DOT suggested using a third party to monitor Administrators’ activities. Discussion also included the possibility of a workgroup to determine best practice for monitoring Administrators’ access and activity. Department of Revenue monitoring methodology has been attached to these minutes as an example of what one agency is doing. o Online Travel Agencies (Expedia, Travelocity, etc.) – Angela Pereira said DMS has received conflicting information regarding the use of online travel agencies, due to the fees charged. Other agencies have had the following issues with online vendors: Non-acceptance of tax-exemption number Advance payment for hotels Reservation cancellation The Administrators were advised to keep the best interest of the state in mind and use the most economical means for making travel arrangements. o Gas for Rental Vehicles – Diana Blue, DBPR, asked if fuel could be purchased with the PCard when renting vehicles from any contract vendor (not just Avis), such as Enterprise trucks. A new CFOM has been 4|P age o o drafted to include fuel for all rental vehicles used for state business. The Administrators will be notified once the CFOM is approved. Copying PCards at Hotels for DOR Requirements – Department of Revenue requires that hotels make a copy of the PCard and keep it on file to support the tax exemption. DOR has been unwilling to reconsider this requirement in the past. Marie plans to discuss this issue with management at the monthly meeting in June. DMS’s Tax-Exempt Number – Cardholders have been questioned about DMS’s tax-exempt number being on the cards for other agencies. During the negotiations for the new contract, the Statewide Office will determine if each agency’s tax exempt number can be imprinted on the PCards for that agency. Angela Pereira, DMS Administrator, receives tax-exempt verification requests from vendors daily. REMINDER Next Meeting: August 15, 2012 5|P age Review of PCard Administrator’s Work By Robert Notman, DOR Agency Purchasing Card Administrator Several years ago in a meeting with Crystal Read and Mark Merry, I was asked, “Who in your agency is watching or reviewing what you do?” “Who is ensuring you are not creating cards for personal gain, etc.?” I must admit that I was taken aback by this. It never occurred to me to think like a criminal. But I wasn’t offended, only surprised. This was the first time that I recall ever having been asked something like this by DFS. Promptly upon returning from this meeting, I proposed to my supervisor that we have a report created in MRE that lists all of the new cardholders and then have someone run those names in a query against a PeopleFirst employees list. If there were any anomalies, I would be tasked to explain them or justify what happened. Initially, I created the MRE report to get the idea going. It was then handed over to a different section not controlled by the Purchasing Card Administrator. When the report ran, it was originally sent to my staff person to run the matches. A copy was also sent to an outside party so that the result could be compared to ensure that I wasn’t influencing the results through my staff member. Later we were able to move the function totally outside of my control. How has this worked? Every month an outside staff member receives the two reports (one from MRE and one from PeopleFirst) and does a data match. I can recall only one instance when there wasn’t a match. In this particular case, an employee had requested a card and, by the time it was issued, he had resigned. So based on the initial reports, it looked like we had issued a card to a non-employee. The report looks at the cardholders created by all of the DOR PCard Administrators. At some point we should also consider including looking at all new persons added to FLAIR to ensure they are in fact employees. Right now we focus on cardholders as we believe this is where the greatest risk could be. All agencies should consider having something like this in place. It protects both the PCard Administrator and the agency. 6|P age