Recharged Education™

View Original

Control Weaknesses that Put Your Card Program at Risk

If you dig into any news story about internal card fraud, you will see certain control weaknesses that emerge in nearly all cases. At the broadest level, haphazard transaction reviews by cardholders’ managers and the lack of effective auditing are two big issues. You might think your card program is in good shape here, but take a look at the details. As described below, there are two things that have appeared in several fraud stories the past few years. Is your program guilty of the same control gaps? Further, if you discover internal fraud, make sure your organization steers clear of the mistakes noted at the end of this post.

Transaction Approval Control Weakness

A cardholder’s manager or an appropriate alternative (someone in a position with more authority than the cardholder) has important responsibilities; learn more about the manager-approver role. Besides the obvious control weakness that the designated person is not doing their job, consider the process.

Allowing “wet signatures” or the usage of a rubber stamp signature on paper receipts, statements, transaction reports, etc. opens the door to fraud. Wet/written signatures can be easily forged. As for rubber stamps with signatures, frankly, I don’t think they should be used for any steps in purchase-to-pay processes. For an example of a fraud case involving a rubber stamp component, see Former UA Aide Charged in Fraud.

What to Do Instead

Enforce transaction review and manager approval via technology, such as the solution offered by your card issuer, your organization’s ERP system, or other system. Each person having their own unique system login credentials is a far better control than signatures. These solutions also commonly offer work flow approval functionality that help remind manager-approvers of their duties.  

Auditing/Program Management Control Weakness

Some organizations import card transaction data into their ERP system for transaction review by cardholders, but they have chosen to omit the supplier name from the interface. This practice can be fine, but a control weakness is not having compensating controls to review the suppliers paid via card.

Far too many fraud stories indicate a cardholder concealed their personal purchases by altering documentation related to the suppliers used. In one elaborate case (HP finance manager went on $5M personal spending spree with company card), the cardholder used her card to pay fictitious vendors that she created and set up with merchant accounts for card acceptance. In other words, she paid herself.

What to Do

No matter your organization’s process for transaction reconciliation, your auditing strategy should include obtaining the original data from the card issuer. With the help of technology or a third-party auditing solution:

  • Review the suppliers that have been paid via a card and track supplier usage—from highest to lowest spend—each month, as well as year to date.

  • Identify the suppliers for which spend has exceeded “X” amount (whatever your organization deems significant).

  • Take a closer look at high usage suppliers, especially if they are not familiar to your organization.

  • If supplier names are part of the interface file that is uploaded into an internal system (e.g., ERP), consider also comparing that internal system with the card issuer’s data in terms of suppliers used. Mismatches would likely be due to someone altering the data after it is brought in house.

Final Advice

As any quick Internet search will reveal, internal card fraud happens to all sizes and types of organizations. However, the threat can be greatly minimized with strong controls. This includes being prepared if internal fraud is suspected and, subsequently, confirmed.

Do not go rogue by playing private investigator. Missteps along the way could ultimately harm the case if your organization wants to pursue criminal charges. To ensure a case could hold up in court, consult with your legal team to create procedures for what to do if suspicious activity arises.

Some organizations go a completely different route by allowing employees to resign when fraud is found. Such action will usually mean that the organization eats the losses. Conversely, if the offending employees are terminated, commercial card liability waivers can protect the organization.

Related Resources

Visit the Controls & Fraud section of the website for additional advice, tips and fraud stories.

Background photo by Mick Haupt on Unsplash.

Available Products & Services from Recharged Education

Submit a contact form to request a quote for what your organization needs.


Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, launched Recharged Education in 2014. With more than 20 years of commercial card experience, her mission is to make industry education readily accessible to all. Learn more