Any auditor worth his or her salt knows that there will be misuse of company credit cards by employees. No amount of policy guidance, no amount of internal controls, no amount of training will ever ensure that 100 percent of all credit card transactions are on the up-and-up. For Heaven’s sake—most of us can’t manage our personal credit cards; what makes anybody think we can manage our company credit cards any better?

It’s hardly a newsflash at this point that some employees are going to use their company credit cards to purchase something they shouldn’t. They are going to make a personal purchase. They are going to buy stuff at the mini-mart while gassing the car. They may buy booze or lottery tickets. They may buy flowers for the wife or for the boyfriend. They may make a mortgage payment with their company credit card because they maxed-out their other cards and there’s nothing left in the checking account this week, and they probably figured it was better to risk corporate discipline than losing the house.

Employees have been misusing their company credit cards for as long as there have been company credit cards, and it’s no longer news. But auditors looking for something to audit and have findings to report know where to look for the juicy stuff, and they can go to the credit cards when they need to, secure in the knowledge that they will find what they seek. Credit cards are the go-to audit. It’s like stealing candy from a baby and all the auditors know it.

So in that spirit, let us discuss the recently issued Department of Defense Inspector General audit report with the catchy title: DoD Cardholders Used Their Government Travel Cards for Personal Use at Casinos and Adult Entertainment Establishments.

Oh, yes, dear readers. We are sad to report to taxpayers and Members of Congress that our worst fears have been realized. Some government employees misused their credit cards! At places of gambling! And dens of iniquity! Oh noes!

The finding in the DoD IG report is damning. It is as follows—

From July 1, 2013 through June 30, 2014, DoD cardholders had 4,437 transactions totaling $952,258, where they likely used their travel cards at casinos for personal use and had 900 additional transactions for $96,576 at adult entertainment establishments.

Oh, the humanity. Let us weep for these sinners, who “likely” used their credit cards “at casinos for personal use.” Not to mention the 900 additional transactions recorded at “adult entertainment establishments.” Shocking, we tell you. Shocking.

The DoD IG developed its findings by identifying a universe of “high risk” transactions at casinos. These transactions were recorded by 2,636 cardholders. The DoD IG “nonstatistically selected” seven (7) of those 2,636 cardholders for “further analysis.” Those seven cardholders had 76 transactions valued at $19,643 which were deemed to be for personal use. The DoD IG used the results of the 76 transactions recorded by the seven “nonstatistically selected” cardholders to validate its findings. In other words, those 76 transactions were used to determine that 100 percent of the “high risk” transactions were, indeed, for personal use and not for governmental purposes.

Seven out of 2,636.

$19,643 out of $952,258.

Those are pretty damn small samples upon which to base such a damning report, wouldn’t you think? Not to mention the whole “nonstatistical” selection thingee, which kind of means the auditor shouldn’t be able to project the sample confirmations to the universe. But maybe the seeming methodological flaws got lost in the rush to publish such a juicy and headline-worthy audit report.

Whatever.

The in-depth analysis by the DoD IG auditors resulted in nine (9) recommendations. The recommendations ranged from the prosaic to the ridiculous. Among the nine recommendations were unique and innovative approaches to reducing future credit card misuse, such as:

• Prohibit certain “high risk” merchants (such as casinos and adult entertainment establishments). The DoD IG acknowledged that certain merchants had already been blocked, but felt that additional policy guidance was needed in that area.

• Review reports showing when cards were declined. The DoD IG acknowledged that the ability to generate and review such reports was already in place; however, the auditors felt that such reviews should be mandatory instead of optional. Almost as if managers shouldn’t have discretion or be held accountable for their failure to exercise that discretion.

• Modify the government’s contract with Citibank (the card issuer) to mandate notification of suspected fraudulent activity or suspended accounts. (This one actually is a decent recommendation.)

We could go on. The DoD IG report clearly indicated that reasonable controls were already in place, but (of course) the auditors felt compelled to recommend even more controls. Because obviously more controls will mean less misuse of the credit cards by employees. Because zero misuse is obviously an attainable goal.

To their credit, those receiving the recommendations didn’t just rubber-stamp a “sure” and move on. The Director of the Defense Travel Management Office (DTMC) pointed out that “The personal use identified in the report amounts to 0.0307% of the total card spend of $3.417 billion … during the period of the audit [and] 0.0275% of 220.118 million total transactions.” In other words, the controls in place are working just fine.

The Director, DTMC, also pointed out what DoD IG had relegated to its footnotes (in a metaphorical sense). In point of fact “personal use … does not result in the payment or loss of U.S. taxpayer dollars given that … the card holder must pay the cost of unauthorized or person use transactions ‘out of pocket’.” In other words, while personal use was misuse, the cardholder was always personally and financially liable for paying all transactions recorded on the credit card.

The DoD IG spent untold hours focusing on a handful of transactions for which there was no risk to the government, for which the cardholder was always going to pay. There was no newsflash, nor was there any news. But that kind of audit report doesn’t make for the same type of juicy newspaper headline, does it?