Audit: DSU lacked proper controls on purchasing cards in 2018
DOVER — An audit of Delaware State University’s use of state purchasing cards during fiscal year 2018 found issues ranging from transaction reporting to missing documentation, and card usage by unauthorized individuals to internal control weaknesses that could increase the risk of overspending and fraudulent charges, the state auditor reported.
The audit covered the period between July 1, 2017, and June 30, 2018, during a “particularly challenging” period when the university had two different board chairs, two presidents, a new provost, and three chief financial officers and additional upheaval in the finance office, said spokesman Steve Newton.
Many of the issues had reportedly been addressed prior to the start of the audit, which was triggered by what State Auditor Kathy McGuiness said was a complaint to her department’s hotline.
That said, the audit report identifies $462,354 in expenses that were not recorded due to cardholders not submitting expense reports and another $208,540 in “potential violations” under the “non-allowable purchases” category.
Newton said the university has been working on these issues for the past two years and has “not identified any charges that were fraudulent or inappropriate items.” In about 90% of the cases, they were expensed to the wrong university department or area and the university has charged them to the correct budget and either re-educated employees with multiple violations or removed their access to the cards.
The university has not identified any specific transactions or expenses that need to be recovered from current or past employees, Newton said.
McGuiness released the report in an email May 7 to 67 legislators, government officials, and higher education leaders but didn’t mention in either the audit report or email that she was a member of the DSU board of trustees between January 2017 and December 2018. She left when she was elected to the state auditor position.
When asked about the omission by Delaware Business Times, McGuiness said that she did not feel she needed to redisclose her participation on the DSU board since she disclosed it when she took office in January 2019.
“The State Auditor has no working role in these engagements” beyond discussions when staff auditors present ideas for audits, she said. “When I sign off on an audit, I cannot change the recommendations. Although I served on the [DSU] Board during the period chosen for review, the level of accounting and review of internal controls assessed for the performance audit generally would not have been an issue that the Board would have knowledge, unless a formal audit of this nature was completed and a report issued during my tenure.”
Public board minutes reflect that the issues around the purchasing card were discussed in open session during that time, but they do not reflect the level of detail during those discussions.
Per the university policy, purchase cards are not meant to be used for personal or private use, travel, transactions over the limit of card, split purchases to stay within transaction limits, entertainment and controllable equipment (such as iPads or computers).
The audit tested 40 random purchase card samples and 67 “high-risk transaction samples,” which means transactions including potential split transactions, PayPal transactions, hotel bookings, and more.
The audit report’s recommendations include documenting initial and annual training on card policy and use, updating offboarding checklists for terminated employees to include card deactivation, entering all purchases into the general ledger monthly and holding employees accountable for submitting receipts and conduct an internal audit on card processes.
Tony Allen, who began his presidential tenure at DSU in January 2020 and served as provost during the audit period, said “the university fully cooperated with the purchase card audit for the fiscal year 2018 and has already addressed the most substantive findings and recommendations as our fiscal 2019 audit reflects.”
In particular, Allen said the university implemented initial and refresher training for all cardholders during fiscal year 2019; instituted an annual review of all policies to further clarify rules about prohibited purchases; and limited the issue and use of purchase cards to a preapproved list of full-time employees.
“We have reduced the number of individuals authorized to use purchase cards by 52%,” Allen said. “We recognize the necessity of complete transparency with respect to our use of state funds, which is why we have, in several aspects, already gone beyond this report’s recommendations.”
Shortly after assuming his new role this past January, Allen created a chief enterprise risk officer role, which reports directly to him. Attorney LaKresha Moultrie, who serves in that position, has recently selected a new internal auditor, a process that was delayed at the start of the COVID-19 pandemic.
Delaware Technical Community College was also audited for its purchasing card policies, with no discrepancies found in a report issued in February. The state auditor said the University of Delaware had “declined to participate,” a status that UD objected to in February 2020 but did tell reporters that Delaware code requires UD’s audits in this area needed to be conducted by an outside contractor, which for the university is KPMG.
DSU also said it is evaluating how cardholders are held accountable for spending, and controls in its management software.