How can an organization accomplish the separation of duties best practice when there is a small staff? A subscriber recently emailed this question to me. Needless to say, do not just skip this important control. If only one employee is assigned the responsibility and system access to accomplish various card program management tasks, it opens the door to potential risks. I have previously stressed the need to have appropriate backup for the card program manager/administrator (PM/PA), but this goes deeper. Separation of duties is necessary for fraud prevention. A small staff means that a manager might need to play a bigger role and/or an independent contractor might be necessary for some projects. More on this below, which describes three controls that every organization should establish, regardless of staff size. The last one might surprise you.
Program Oversight
Even if your organization only has one PM/PA, at least one other employee should have the same system access. Not only does this help when backup is needed, it provides the means to spot check various program management activities. Further, certain reports should be pushed directly from the issuer’s system to a designated reviewer other than the PM/PA.
As an example, you want to ensure the PM/PA does not order unauthorized cards. Ideally, the PM/PA should not submit new card requests to the issuer, as well as receive new cards (or confirm receipt if cards are sent directly to cardholders). Someone else should be informed about all the new cards requested. A monthly “new cards/accounts” report reviewed by the PM/PA’s supervisor can fill this control.
Auditing the PM/PA
Besides ongoing program oversight of the PM/PA’s actions, there should be annual auditing. If your organization does not have an internal auditor, then hire a qualified contractor to complete the work. Even if the PM/PA is a rock star within the organization, no one should be exempt from an audit process. See six PM/PA aspects to audit.
Mandatory Vacation Policy
Mary Schaeffer, AP Now, writes about this control in her book, 127 Best Practices for Accounts Payable, but it is applicable to P-Card program management, too. She notes that anyone who has anything to do with the payment process should be required to take five consecutive days off during which time someone else performs their job functions. The theory is, if any ongoing fraud is happening, it would be uncovered during this time. When she has surveyed her members in the past, the percentage of those who have this time off requirement and enforce it is just over 10%.
I know far too many PM/PAs who basically never disconnect from work because no one else is cross-trained as a backup. There is nothing positive about such scenarios. Learn more about backups…
Final Thoughts
No matter your staff size, has your organization identified its risks concerning separation of duties? Conducting a thorough P-Card risk analysis is a good starting point. While a small staff can make things more challenging, it can be overcome and your program will be better off. If you need further convincing on the value of separation of duties, read about how the lack thereof contributed to internal fraud at a higher education institution.
Speaking of fraud, it is one of the topics to be covered at the Global Virtual AP Summit on March 9 and 10 (I am a panelist). The event is hosted by AP Now in the U.S. and the UK’s Accounts Payable Association. The cost is only $35; register via AP Now or first watch an eight-minute preview.
Related Resources
Photo by Carl Heyerdahl on Unsplash
Available Products & Services from Recharged Education
Submit a contact form to request a quote for what your organization needs.
Subscribe to the Blog
Receive notice of new blog posts.
About the Author
Blog post author Lynn Larson, CPCP, launched Recharged Education in 2014. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…