A P-Card Separation of Duties Dilemma

How strong are the separation of duties within your P-Card program? An auditor who used my risk analysis template contacted me recently because one AP clerk performs accounting-related tasks that I recommend be split among two or three people. She described how this employee is responsible for: 1) downloading the file of transaction data from the card issuer, 2) making any necessary corrections to account/budget codes within the file, and 3) uploading the corrected file into their accounting/finance system. She asked me about the risks and what I would suggest they change. Certainly, this organization is not alone in having limited accounts payable resources, which makes complete separation of duties difficult to achieve. As a result, compensating controls are even more important. Keep reading to see more about the dilemma noted above and suggestions for improving the situation.

Risks

Within the text file format (.txt)—the format of the interface file downloaded from the issuer—someone can change any part of the data, not just account/budget codes. This organization confirmed to me that there is no record or report of the changes the AP clerk makes within this file. For instance, she could change a vendor name to hide where someone made a purchase.

If the AP clerk also has the ability to order/request new P-Cards, then she could order a card for herself, use it for personal purchases, and change the cardholder name of the resulting transactions in order to conceal her fraud. While this example is a bit far-fetched, it could still happen. Even though internal departments have the opportunity to review spend reports generated by the accounting system (as a compensating control), they may or may not catch something like this. On a side note, monitoring new cards issued each month is a control for catching unauthorized cards.

Suggestions

  • Make every effort to separate the duties and/or establish the appropriate oversight.

  • Avoid making any changes within the downloaded interface file. Besides the risks noted above, it is too easy to accidentally do something that shifts the data, which can cause problems when uploading to the accounting system. Make the necessary corrections after the file is uploaded.

  • Inquire about the ability of the accounting system to produce an audit trail—a record or report—of changes made. If one is available, a supervisor should review it.

  • Compare reports from the card issuer’s system to reports from the accounting/finance system to ensure accuracy. At least do some spot checking concerning vendor and/or cardholder totals. For example, if a report from the card issuer shows John Smith spent $3,100 for the cycle, verify against the accounting system. This type of activity should be completed by someone who is not involved with the three steps noted above in the post introduction.

  • Finally, contact cardholders and their manager-approvers about any coding errors, so they can learn from the mistakes.

Risk Analysis Event and Template

In June, I will be delivering a three-hour virtual workshop on P-Card risk assessments, hosted by AP Now. One of the planned topics is potential risks related to accounting processes. For details and registration, please visit AP Now. As a bonus, attendees will receive a copy of the risk analysis template by Recharged Education, which normally sells for $89.99. It includes more than 100 questions to help you do a robust evaluation of P-Card controls.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Build a Foundation for Successful Audits

What do home remodeling projects and P-Card audits have in common? Unexpected surprises—usually not the good kind—are one commonality. Whether a home or card program, something that appears to be sound might have issues lurking that only remodeling or auditing, respectively, will uncover. Another big commonality between the two, as observed by Doug Hindsley, is the do-it-yourselfer who cuts corners and/or lacks the expertise to effectively do the job. Ultimately, this can cost more than hiring a professional from the start. As the senior partner of Card Integrity, a company with solutions to improve the success of your card programs, Doug has data to back up his observations. I first interviewed him about the auditing process in 2017 (see link to that post at the end), so I was thrilled to do so again recently. His insights below include common surprises you can minimize through robust policies, how to help managers be more successful, and tips for organizations who do their own transaction auditing (the DIYers).

Common Surprises

For home projects and card programs alike, surprises typically mean more money is shelled out. Card Integrity’s proprietary analysis of literally millions of card transactions over the years has resulted in some recurring findings of added expenses that usually surprise their end-user customers. Two examples are:

  • the high number of Amazon prime memberships the organization is unknowingly paying for, even if/when an organization is moving to Amazon Business

  • how much the organization is paying for employee recognition gifts and awards (e.g., flowers, gift cards, special lunches, etc.)

To avoid these surprises at your organization, ensure the card program policies clearly address both. Describe what is and is not allowed, any special procedures or approvals required pre-purchase, and the appropriate supporting documentation to provide with the expenses.

The Offenders

I also asked Doug who Card Integrity most often sees as a policy offender. He confirmed what I have read elsewhere, such as in the annual Report to the Nations by the Association of Certified Fraud Examiners (ACFE). Contrary to popular belief, new employees are not the only offenders. Policy infractions as well as fraud happen at every job level, regardless of an employee’s length of service. Doug mentioned one recent case of a VP who made personal purchases of cashmere scarves and yet they made it through the approval process.

Just as a good contractor monitors the work in progress, anyone who fulfills an oversight/approver role for the card program must be diligent in their reviews of employees’ expenses. However, we all know that this is hit or miss, which is a significant issue. My own informal research has revealed most organizations do not apply any consequences to manager-approvers who flounder or fail at their card program role. As such, the poor behavior never improves.

Helping Managers Be More Successful

As Doug and I discussed, managers are overloaded, so they rubber stamp everything in an effort to just keep up. I published a related blog post a few years ago, Give Your Managers a Life Preserver. Card Integrity supports the preservation cause by offering concise reports, such as 20 lines of “weird stuff” that managers should take a closer look at. This greatly alleviates the burden on managers to find a needle in a haystack, saving valuable time. Doug shared that, as a result, some of their corporate clients do not even require managers to look at every transaction anymore (even though they still have access to the data).

Regardless of your organization’s approach to auditing, help your managers be more successful by training them on what to look for when reviewing expenses and when they should dig deeper. Determine what reports you can provide to support them.

About Those DIYers

If your organization decides to tackle the auditing of card transactions on your own, utilize whatever tools are available, even if it is just Microsoft Excel, and be thoughtful about the receipt aspect. Too often, Doug sees that receipt confirmation is merely a checkbox on the audit form; there is little to no review of what was purchased. In some cases, the “auditor” is someone who may not know whether a particular purchase is allowed; for example, higher education institutions who pay a student to do the auditing. Whenever possible, take advantage of Level III transaction detail instead of doing a receipt review for the applicable vendors.

Finally, Doug stresses the importance of being timely, visible, and consistent with your audits. Cardholders often feel picked on when they are singled out for an innocent mistake, especially if the same mistake is made by someone else who does not get called out. To make audit results less personal, report on the aggregate or by department. Don’t forget to include positive results as well.

For more on Doug’s insights, access the 2017 post, Rethinking the Audit Process, which describes how to address chronic problems, frequently overlooked audit criteria, the drawbacks of manual audits, and more.

Photo by rawpixel on Unsplash

Photo by rawpixel on Unsplash

About Card Integrity

Card Integrity expense solutions further examine your spend data to detect hidden fraud, target policy compliance, and alert employees to smarter spending habits. Combined with advanced analytics, Card Integrity delivers powerful insights with prioritized reporting and relevant communication. By monitoring expenses, validating receipts, and training cardholders, the suite of expense solutions helps leading organizations to effectively manage spend.

Card Integrity takes service to the next level with flexible, custom reporting; easy onboarding; and ongoing assistance. Companies of all sizes and industries, including top U.S. and global companies, colleges and universities, and government agencies, support card and payment programs with Card Integrity solutions to get spending under control.

To learn more about Card Integrity, visit our website to ask for a case study at: https://www.cardintegrity.com/case-studies/. Better yet, meet us in person at the NAPCP Commercial Card and Payment Conference next month and visit our table in the exhibitor hall. We look forward to seeing you there and finding out how we can help your program to grow!


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Metrics that Turn the P-Card Tables Around

If your management fails to see the value of Purchasing Cards beyond the potential rebate, then you might need to beef up your metrics. First, be sure you are quantifying and sharing the positive impact of P-Cards within your organization (e.g., process savings). However, you might need to go a step further by painting the picture of what your procure-to-pay processes would look like and cost without cards. After I recommended this action within the previous post about rebates, a subscriber asked me how to begin and what metrics to include. In short, the exercise involves quantifying how accounts payable (AP) would be affected and outlining the resulting added burden on other employees. Keep reading to see the details. Would such an approach grab your management’s attention?

Additional Invoice Volume = Additional Staff

If there were no P-Cards, how many more AP full-time equivalents (FTEs) would be needed to process the increased invoice volume and how would this translate into dollars (e.g., average salary of an AP FTE)?

First, how many invoices are processed by one AP FTE per month today? Using data from various AP Now surveys, 2000 invoices per FTE per month is within the realm of possibilities. It will vary by organization, based on the invoice process and extent to which technology is used. Find out what applies to your AP staff.

Now let’s assume a modest P-Card program of $10M per year. If you divide this by an average transaction amount like $400, this would be 25,000 transactions per year or nearly 2100 per month. Moving the P-Card volume back to AP would require an additional AP FTE. Again, pull the applicable data for your program to make the metrics meaningful.

More Suppliers = A Ballooning Master Vendor File

Non-card payments mean adding suppliers to AP’s master vendor file (MVF). Based on your P-Card data, how many suppliers would this be? Would even more AP FTEs be needed to manage it? Think about the supplier information that would be required and the added burden on your 1099 reporting process.

No Cards = Tedious Procure-to-Pay Processes

In addition to the metrics noted above, map out the various potential procure-to-pay (P2P) processes in a “non-card” world and make comparisons to the efficient P-Card P2P process currently in use. For example:

Limited Use Suppliers

Consider all the suppliers currently paid via P-Card for a one-time purchase. Not only would you need to set up these suppliers in the MVF, the procurement aspect would likely be more difficult. Identify a common example from your P-Card data; for instance, employees needing to register and pay for a business conference. Without a card to easily take care of it, what would an employee need to do? All of the options are tedious and slow for your employees and suppliers.

Recurring Suppliers

The procurement process might remain the same with suppliers from which cardholders order through a designated website today, such as Staples and Grainger. However, you would need to work with the applicable suppliers on the desired invoice process. How would invoices arrive? Would AP need to manually break down by cost center? Maybe some suppliers would send an appropriate electronic interface file to eliminate manual keying by AP, but this requires extra work, too, to establish.

Conclusion

There are all kinds of P-Card metrics to demonstrate the status of a program, but sometimes the most eye-opening metrics are the hypothetical ones.

You don’t know what you’ve got ‘til it’s gone.
— "Big Yellow Taxi," Joni Mitchell

Related Resources

If management can’t see past Commercial Card rebates, present the costly realities of a payment strategy without cards.

If management can’t see past Commercial Card rebates, present the costly realities of a payment strategy without cards.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more