Purchasing Card Audits
P-Card audits can be categorized into two primary types—transaction audits and process audits. Following are suggestions for both. Transaction audits often draw the most attention because they are aimed at detecting fraudulent activity. However, do not overlook process audits, which are important for testing the effectiveness of preventative P-Card controls, such as training, and measuring the level of compliance.
Coming Up: May 2018 eWorkshop for Auditors
A four-hour virtual training course offered by The Institute of Internal Auditors/American Center for Government Auditing and delivered by Lynn Larson, CPCP, Recharged Education.
- Session 1: May 7, 2018, 1:00 PM to 3:00 PM Eastern
- Session 2: May 9, 2018, 1:00 PM to 3:00 PM Eastern
Who, How, When
- could be conducted by the P-Card program administrator or manager (PA/PM), an internal audit department or other department
- can be accomplished through technology; for example, several companies offer auditing technology solutions to streamline the process and minimize reliance on human efforts
- should occur a minimum of monthly
What to Avoid
- Manually auditing all P-Card transactions every month, which is cumbersome and costly
- Exclusively conducting random, percentage-based audits (e.g., 10% of transactions), which can result in some cardholders slipping through the cracks
Strategic P-Card Audits
Your strategy should include auditing transactions that have certain attributes, such as those:
- at or above a certain dollar threshold
- with certain merchant category codes (MCCs) and/or suppliers (e.g., Amazon)
- containing key words that could indicate a prohibited purchase per your policies and procedures
- occurring during non-business hours
Also look for suppliers used by only one cardholder; this might indicate an issue or something fishy.
In addition, audit all transactions by certain cardholders, such as those who:
- are new to the cardholder role
- have a new manager/approver
- exceed a certain number of transactions during the month
These are just some examples. In addition, do not exclude C-suite cardholders just because of their job level.
Audit Cost vs. Benefit
If your efforts are primarily manual today, take the time to calculate the labor cost, based on the amount of time spent auditing and the average compensation of the employees performing the audits. Compare how much it costs to the issues they find. You might be spending hundreds of dollars to find few issues. It also could be time to explore automated auditing solutions. See a related blog post about manually auditing 100% of transactions.
P-Card process audits are usually conducted at least annually by internal and/or external auditors. Because the same tired, old audit can become ineffective, take the time to prepare a customized audit.
The keys are:
- reviewing past audit results, which may indicate areas worthy of more scrutiny
- researching industry trends to identify new things to look for, such as card misuse within other organizations (how it happened, what controls were missing) and new scams by external fraudsters (e.g., new phishing tactics)
- understanding changes to the program since the last audit to ensure controls were established for any new card uses
What to Use
Obtain a copy of the:
- most current P-Card risk assessment
- last audit results, as noted above
- program policies and procedures
Audit against all of these. For example, determine whether any control gaps (per the risk assessment) have been resolved. Evaluate the level of compliance with P-Card policies and procedures; include cardholders, managers/approvers and the PA/PM.
What to Do with Audit Results
- Compare to past audit results to identify what has changed
- Develop action items that will improve the program
- Ensure action items are assigned and make plans to follow up
- Share with the appropriate parties, such as the PA/PM and his or her management