Stop Blaming P-Cards

When internal card fraud arises, an unfortunate, but common, response is to blame the product itself and take cards away from employees or severely restrict card usage. However, the problem is not Purchasing Cards; rather, it is end-user organizations that lack effective controls. This point is clearly demonstrated in the fraud case that rocked a public school district in my home state of Minnesota. I first wrote about it in July of 2017, but it made the news again last week because the party in question—former school superintendent Rod Thompson—pleaded guilty to 19 felonies. The 16-month FBI investigation that started with a look into his P-Card usage led to the discovery of other crimes and policy infractions he had committed. See more below, as well as key questions every Commercial Card program manager should answer.  

The Fraud Case

Thompson’s felonies include theft by swindle, embezzling public funds, and possessing stolen property. He admitted to using his P-Card for numerous personal purchases totaling tens of thousands of dollars. I laughed out loud when his attorney said Thompson was remorseful for his actions. Was he sorry after he bought the flat-screen TV for his home? How about after he purchased an Xbox gaming system? Did he ever turn himself in because he was sorry? Was he sorry enough to stop committing internal fraud? No. He was only sorry after getting caught.

A group of taxpayers can be credited for cracking the case. In response to a district announcement about a substantial budget problem, they requested, received, and dug into spend reports, even though some people basically called them paranoid. This tells me the district was simply sitting on the valuable information. Either no one internally ever reviewed Thompson’s spend activity or they chose to ignore it. I’m not sure which is worse.

The eventual FBI investigation also revealed Thompson used his position to gain personal benefits from a construction company. They paid for tickets to various events (e.g., Minnesota Vikings games) and did work on Thompson’s home. In turn, he awarded them lucrative school contracts. The lesson here is, if you find an employee guilty of one thing, there is a good chance they are guilty of more.

Thompson will receive some prison time, as well as pay approximately $75,000 in restitution.

Eliminating Commercial Cards is the wrong way to respond to internal card fraud. Rather, conduct a thorough program risk analysis and close the control gaps that make fraud easy to commit.

Eliminating Commercial Cards is the wrong way to respond to internal card fraud. Rather, conduct a thorough program risk analysis and close the control gaps that make fraud easy to commit.

Six Questions

If you can answer “yes” to the following questions, your organization is in good shape for preventing and detecting internal card fraud. Nevertheless, a full risk analysis will provide a more complete picture.

  1. Does every cardholder have an appropriate-level “manager-approver” who reviews transactions at least monthly?

  2. Are cardholders and manager-approvers required to sign an internal agreement, and complete training and/or a quiz each year?

  3. Are executive-level cardholders held to the same standards/rules as others?

  4. Do you have a separate, robust auditing process (e.g., auditing technology) to identify potential issues and fraud?

  5. Does your organization enforce detailed receipt requirements? Thompson often omitted receipts or only provided vague ones.

  6. Are tips about suspicious activity followed up on, even if they seem far fetched?

Related Resources

Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

P-Card program management tools

Got money left in your budget? Instead of buying more office supplies that your organization does not need, get two valuable P-Card program management tools: a guide on revitalizing program policies and procedures, and a customizable risk assessment template. A single electronic copy of each totals a mere $119.98. Visit the store at: https://www.recharged-education.com/store/. Need convincing? Following is more information and a sneak peek of both resources.

If you work for a provider organization and want to obtain these resources to give to clients, there is a license option you can purchase for unlimited distribution.

Revitalizing Your P-Card P&P

With 20+ pages of content, the guide ($29.99) includes:

  • a list of topics to include 
  • tips for your P-Card Intranet home page
  • procedure writing best practices
  • examples of procedure formats
  • sample survey to obtain users’ feedback 
  • sample text you can customize
  • checklists to evaluate key sections
  • guidance on content development

Sneak Peek of Procedure Writing Advice

Design matters. I have seen too many P&P manuals comprised of large, unappealing text-heavy paragraphs. To give them new life, the guide recommends separating general information from procedures and making procedures more prominent. Courtesy of a 2016 blog post, here are “before” and “after” examples.

Before a revitalization effort, the steps are buried in the text block and the passive voice adds to the dullness.  

P&P before.png

The revised version reflects a script format to separate the tasks by job role. Each action begins with a verb and speaks to the person responsible.

P&P after.png

Assessing Your P-Card Program Risk

The Excel template ($89.99) includes nine worksheets for a program manager to complete, based on these topics:

  1. Program Overview
  2. Policies and Procedures
  3. Card Issuance
  4. Card Controls
  5. Card Usage and Activity
  6. Card Cancellation
  7. Accounting Processes
  8. Information Security
  9. Program Administrator/Manager

In all, there are more than 100 questions, providing a robust evaluation of P-Card controls.

Sneak Peek of Program Overview Information

To begin a P-Card risk assessment, document general facts about the program, such as:

  • date of the last risk assessment
  • program changes since then
  • year of program implementation
  • department responsible for program management
  • current card issuer
  • current number of cardholders/accounts
  • targeted dollar threshold for P-Card purchases
  • program metrics and benefits (to highlight the value of P-Cards)
  • information about internal card fraud cases (to put fraud into perspective)

This helps everyone who might review the assessment become more familiar with the program.

See also other content related to controls and fraud.

Please visit the store to see more and make a purchase: https://www.recharged-education.com/store/

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Who audits the program manager?

In the life of a Commercial Card program, cardholders are routinely under a microscope. Yet, an auditor’s radar may fail to pick up the program manager or administrator (PM/PA). Even if the PM/PA is a rock star within the organization, no one should be exempt from an audit process. Following are six PM/PA aspects for your internal audit team to review.

PM/PA Aspects to Audit

1. Separate from the policies and procedures (P&P) cardholders must follow, are there current, documented procedures for tasks executed by the PM/PA? Examples include steps the PM/PA follows to establish a new card account, monthly reporting and analysis performed by the PM/PA, and how to resolve card usage issues like declined transactions.

2. Perhaps most important, does the PM/PA consistently follow documented procedures? For example: 

  • If the PM/PA must ensure a card applicant completes training prior to receiving a card, the auditor should review the timing of the training versus the timing of card issuance/activation.
  • If the PM/PA must notify a cardholder’s manager upon instigating a temporary limit increase, is there documentation (e.g., an email to the manager) to support this?   

3. What type of system access does the PM/PA have? Is there adequate separation of duties? For example, the same person should not be able to:

  • download transaction interface files from the issuer and upload into the finance system
  • upload transaction interface files into the finance system and make coding changes/other corrections to the uploaded information

If a lack of resources makes separation of duties impossible for certain activities, then, at a minimum, there should be sufficient means to monitor the PM/PA’s activity, such as an electronic audit trail and/or management oversight.  

4. Are there effective controls to ensure the PM/PA does not obtain unauthorized cards? In my role as a PM, an auditor asked what prevented me from getting and using a card without anyone knowing. I had to admit that it would be easy for me to obtain a card for myself, but I explained the detective controls that would catch this.

5. Is the PA/PM allowed adequate time to spend on card program management? If they are pulled in too many directions, it increases the risk to the organization and the program will likely flounder. An auditor can help shed light on this problem.

6. Is there sufficient backup for when the PM/PA is out of the office or otherwise unavailable? Select an appropriate employee—someone with the right skills—for this role. Also, if someone is trained as a backup, but does not routinely execute back-up duties, then he or she might get rusty. 

Final Thoughts

The PM/PA is critical to long-term card program success. An organization should design the role thoughtfully, hire wisely, and audit regularly (e.g., annually). 

Related Resources

If your organization would like assistance with developing the PM/PA role and/or audit process for the P-Card program, contact Recharged Education.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.