Nationwide Review of Voyager Fleet Card Personal Identification Numbers
Our objective was to assess the effectiveness of the Postal Service’s management controls for Voyager Fleet Card (Voyager card) Personal Identification Numbers (PINs) nationwide. Voyager Fleet Systems Inc., owned by U.S. Bank, issues the Voyager cards and PINs.
The Postal Service operates one of the largest vehicle fleets in the U.S. and used 229,682 vehicles in fiscal year (FY) 2018, primarily to deliver and collect mail. The Postal Service does not issue Voyager cards to employees, but assigns the cards to vehicles, delivery units, and vehicle maintenance facilities (VMF). Postal Service employees use these cards to purchase fuel, oil, and maintenance services from external commercial businesses (vendors) either [redacted]. Postal Service policy requires employees to enter a PIN to complete a Voyager card purchase. The PIN identifies the Postal Service employee authorizing the purchase.
Site managers assign PINs to new employees or employees who have transferred into a unit and who are responsible for purchasing fuel (such as drivers) or paying for maintenance (such as VMF clerks and site managers). [Redacted] Postal Service policy provides guidance over the assignment, use, and monitoring of PINs. For example:
- Only Postal Service employees are assigned a PIN – a vendor cannot be assigned a PIN.
- Voyager cards and PINs each have limits of $300 per day, three transactions per day, and $1,000 per month.
- Site managers are required to contact the VMF if they require PIN increases above established limits. These requests must be authorized and processed by the responsible VMF manager or their designee by [redacted]
- Site managers are required to conduct a semiannual review to verify that PIN information is accurate and complete.
- Site managers must terminate an [redacted] when an employee leaves the Postal Service, transfers to a new location, or retires.
Our audit focused on the 423,681 active PINs for mail delivery and collection operations as of July 2018. Employees made purchases totaling $627 million in FY 2018 using these PINs.
What the OIG Found
Controls over Voyager PINs are ineffective nationwide. Our analysis of 423,681 active PINs in mail delivery and collection operations showed that site managers:
- Inappropriately assigned 651 PINs to vendors who made 321,586 purchases totaling $30,672,985.
- Failed to deactivate 18,697 PINs for employees assigned more than one PIN, transferred to another unit, or no longer employed at the Postal Service. These PINs were used to make 314,962 purchases totaling $15,454,663.
- Did not assign an employee name to 776 PINs which were used for purchases totaling $188,391.
- PINs with no assigned name do not identify the individual authorizing the purchase, only the finance number of the facility where the PIN was issued.
We also identified 7,326 PIN limits which exceeded the authorized purchase limit of $1,000 per month. Because documentation to support approvals to exceed authorized limits is maintained at local VMFs across the country and not electronically, we selected a judgmental sample of 49 PINs to verify if management approved these increased limits. We found that 10 PINs were approved for increased purchase limits, but management did not respond to or provide supporting documentation for the remaining 39 PINs sampled. We made referrals to our Office of Investigations, as appropriate.
These conditions occurred and were not detected because of a lack of automated controls and ineffective management oversight. We noted:
- The Voyager FCO application the Postal Service uses to manage PINs did not include automated controls to prevent vendors from receiving PINs, assigning PINs to employees who already had PINs, and PINs without valid employee names. Further, controls did not exist for Voyager to authenticate Postal Service officials who were authorized to increase PIN limits.
- Site managers did not always comply with the requirements in the Voyager Fleet Card Standard Operating Procedures (SOP), including completion of required semiannual reviews – the primary method of oversight that identifies the issues identified in this report. We could not quantify the number of reviews that were conducted because the Postal Service did not have a mechanism to track and monitor completion of these reviews.
The absence of these controls and ineffective oversight increased the risk of improper and unauthorized purchases and resulted in about $46 million in questioned costs for FY 2018.
What the OIG Recommended
We recommended the Vice President, Controller:
- Coordinate with U.S. Bank Voyager to implement automated controls in the Voyager Fleet Commander Online application to: (1) prevent assignment of PINs to vendors, (2) prevent assignment of multiple PINs to employees, (3) prevent assignment of PINs without valid employee names, and (4) ensure only authorized employees are allowed to request PIN limit changes.
We recommended the Vice President, Delivery & Retail Operations:
- Implement corrective action to: (1) deactivate PINs issued to vendors, (2) deactivate multiple PINs issued to employees or define policy exceptions for multiple PINs, (3) deactivate PINs without a valid employee name, (4) ensure authorized approval of requests for increasing PIN purchasing limits, and (5) track and monitor completion of semiannual reviews.
- Develop and implement interim controls to prevent and detect the issues noted in this report until the Postal Service updates the Voyager Fleet Commander Online application.
- Reinforce to site managers, VMF managers and their designees to follow the requirements in the Voyager Fleet Card SOP for issuing PINs, requesting PIN limit increases, and conducting semiannual reviews.