In the life of a Commercial Card program, cardholders are routinely under a microscope. Yet, an auditor’s radar may fail to pick up the program manager or administrator (PM/PA). Even if the PM/PA is a rock star within the organization, no one should be exempt from an audit process. Following are six PM/PA aspects for your internal audit team to review.
PM/PA Aspects to Audit
1. Separate from the policies and procedures (P&P) cardholders must follow, are there current, documented procedures for tasks executed by the PM/PA? Examples include steps the PM/PA follows to establish a new card account, monthly reporting and analysis performed by the PM/PA, and how to resolve card usage issues like declined transactions.
2. Perhaps most important, does the PM/PA consistently follow documented procedures? For example:
- If the PM/PA must ensure a card applicant completes training prior to receiving a card, the auditor should review the timing of the training versus the timing of card issuance/activation.
- If the PM/PA must notify a cardholder’s manager upon instigating a temporary limit increase, is there documentation (e.g., an email to the manager) to support this?
3. What type of system access does the PM/PA have? Is there adequate separation of duties? For example, the same person should not be able to:
- download transaction interface files from the issuer and upload into the finance system
- upload transaction interface files into the finance system and make coding changes/other corrections to the uploaded information
If a lack of resources makes separation of duties impossible for certain activities, then, at a minimum, there should be sufficient means to monitor the PM/PA’s activity, such as an electronic audit trail and/or management oversight.
4. Are there effective controls to ensure the PM/PA does not obtain unauthorized cards? In my role as a PM, an auditor asked what prevented me from getting and using a card without anyone knowing. I had to admit that it would be easy for me to obtain a card for myself, but I explained the detective controls that would catch this.
5. Is the PA/PM allowed adequate time to spend on card program management? If they are pulled in too many directions, it increases the risk to the organization and the program will likely flounder. An auditor can help shed light on this problem.
6. Is there sufficient backup for when the PM/PA is out of the office or otherwise unavailable? Select an appropriate employee—someone with the right skills—for this role. Also, if someone is trained as a backup, but does not routinely execute back-up duties, then he or she might get rusty.
The PM/PA is critical to long-term card program success. An organization should design the role thoughtfully, hire wisely, and audit regularly (e.g., annually).
If your organization would like assistance with developing the PM/PA role and/or audit process for the P-Card program, contact Recharged Education.
About the Author
Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…
Subscribe to the Blog
Receive notice of new blog posts.