Auditing the P-Card PM/PA

In the life of a Commercial Card/P-Card program, cardholders are routinely under a microscope. Yet, an auditor’s radar may fail to pick up the program manager or administrator (PM/PA). Even if the PM/PA is a rock star within the organization, no one should be exempt from an audit process. Following are six PM/PA aspects for your internal audit team to review.

Related Resources

• More about the card program manager/administrator (PM/PA) role

• Content to include in a program manager/administrator manual

• Auditing a Purchasing Card program

Don't forget to subscribe to the blog (no charge) to receive educational content!

PM/PA Aspects to Audit

1. Separate from the policies and procedures (P&P) cardholders must follow, are there current, documented procedures for tasks executed by the PM/PA? Examples include steps the PM/PA follows to establish a new card account, monthly reporting and analysis performed by the PM/PA, and how to resolve card usage issues like declined transactions.

2. Perhaps most important, does the PM/PA consistently follow documented procedures? For example: 

• If the PM/PA must ensure a card applicant completes training prior to receiving a card, the auditor should review the timing of the training versus the timing of card issuance/activation.

• If the PM/PA must notify a cardholder’s manager upon instigating a temporary limit increase, is there documentation (e.g., an email to the manager) to support this?   

3. What type of system access does the PM/PA have? Is there adequate separation of duties? For example, the same person should not be able to:

• download transaction interface files from the issuer and upload into the finance system

• upload transaction interface files into the finance system and make coding changes/other corrections to the uploaded information

If a lack of resources makes separation of duties impossible for certain activities, then, at a minimum, there should be sufficient means to monitor the PM/PA’s activity, such as an electronic audit trail and/or management oversight.  

4. Are there effective controls to ensure the PM/PA does not obtain unauthorized cards, whether for himself/herself or someone else?

5. Is the PA/PM allowed adequate time to spend on card program management? If they are pulled in too many directions, it increases the risk to the organization and the program will likely flounder. An auditor can help shed light on this problem.

6. Is there sufficient backup for when the PM/PA is out of the office or otherwise unavailable? Select an appropriate employee—someone with the right skills—for this role. Also, if someone is trained as a backup, but does not routinely execute back-up duties, then he or she might get rusty.