What does your organization rely on to catch inappropriate P-Card spend and potential fraud by cardholders? Does your confidence rest with the manager approval process? What about your auditing approach? In the article below, Paul Newton explores drawbacks concerning approval processes and the positive impact of analytics. His insights could lead your organization to rethink its detective P-Card controls.

Disruption in Risk Management for Purchase Cards

by Paul Newton

In a recent conversation with a partner at a mid-market CPA firm, it occurred to me that, because analytics makes the detection of purchase card fraud far easier, the risk management business may well be facing considerable disruption as a result.

Control with a Low Likelihood of Detection

For purchase card spend, testing methods have largely been manual/sporadic. The credible threat of post-approval detection was low and the strength of implemented processes (e.g., workflow, governance, systems and policies) were the primary deterrent to inappropriate spending. Unfortunately, transaction approval processes have two insurmountable weaknesses:

1. the human element (e.g., managers “approve all” because they don’t have time to review each line item)

2. the focus on overt policy violations despite employees “gaming” the system with inappropriate spend that is not technically a policy violation (“It doesn’t say I can’t use Venmo”)

Despite best efforts, fraud and wasteful spend do get past implemented processes, with very little chance of subsequently being detected. Indeed, most fraud cases are stumbled upon rather than arising from a systematic detection approach. The illustration below depicts the control framework as it has been historically—with a low likelihood of post-approval detection.

Some readers may feel that their processes do a more thorough job of preventing fraud and waste, but it has been my experience from creating comprehensive testing regimes that a shockingly large amount of problematic spend still occurs. Nevertheless, the point is that, historically, the process is the main form of control.

Control with a High Likelihood of Detection

Today’s analytics tools make it possible to create a large library of complex tests which can be re-run with little incremental effort. A rule that identifies split meals, for example, will identify every split meal, every single time, while machine learning methods identify outliers based on patterns that humans could never detect. Thus, very little gets past post-approval detection methods.

Upon first glance at the illustration above, one may conclude that analytics simply detects more things, which is no surprise. However, it also implies that implemented processes are of less importance when you have a high likelihood of detection. Even for firms with rudimentary process frameworks, fraud and waste will still be detected. This has a profound impact. Focusing on a [much cheaper] analytics component that provides a high likelihood of detection results in less fraud/waste than implementing extensive processes.

Furthermore, because the volume and complexity of tests make detection methods opaque, the probability of detection is high, but unknowable—and our risk-averse nature fosters self-regulation. After all, you can’t game the system if you don’t know the rules. Now the detection methods are the main form of control.