The Misused Power of One

It has been reported that the former employee (Amit Patel) was the sole administrator of the organization’s virtual credit card program. In this case, virtual cards are issued to individuals for making authorized business purchases (e.g., travel expenses), not virtual cards used by accounts payable to pay invoices.

Patel had full access to manage all aspects of the program, and there were no controls to stop him from committing fraud and no ongoing controls to catch it. Learn more about separation of duties. Patel could request new virtual cards, including for himself. He could manipulate and manufacture transaction data—easily hiding his fraudulent transactions—before passing the file over to the accounting department. He even oversaw department budgets.

Per news reports, apparently Patel is a nice person and was well-liked in the organization. But, as I have written before, even nice people can steal. If an organization ignores implementing effective controls because all their employees are nice, they will likely have a rude awakening at some point.

Addressing the Data Problem

Keep in mind that downloaded files—formats such as .xlsx .csv, .txt and even .pdf—can usually be edited. Patel used this ability to his full advantage.

I have long recommended that an organization’s auditing strategy should include obtaining the original data from the card issuer. In light of the Jaguars’ fraud, this control needs to go further. Someone other than a program administrator (PA) or program manager (PM) should obtain the original transaction data from the card issuer’s system for auditing purposes each month. Most of these systems have some type of “auditor” access role, separate from an administrator role.

If you are not using a third-party auditing solution for the monitoring of transactions, then the next best approach is to utilize readily available programs like Microsoft Excel. Again, an auditor or similar independent entity should make comparisons between card transaction data uploaded into an internal finance system and data from the card issuer’s system. Excel tools like conditional formatting can help you identify potential issues like someone editing information.

Access a previous blog post to see more about what to do with transaction data.  

Further, the person performing an audit function should also pull a monthly report from the card issuer’s system showing new cards issued. Have any cards been issued to people who should not have one, per organization policy? As an example, many organizations prohibit a PA or PM from having a card. This brings me to my last point.

Even if the PA/PM is well-liked and trusted within the organization, no one should be exempt from an audit process. When is the last time your organization’s PA/PM was audited? See related tips.

Related Podcast

Mary Schaeffer of AP Now and I discussed the Jaguars’ fraud case on a recent podcast. Check it out on YouTube to hear what motivated this person to steal and the many control weaknesses that can be gleaned from the case.

Available Products & Services from Recharged Education

• Complimentary online content

• Resources available for purchase

• Fee-based services for industry providers and end-user organizations, such as training, consulting, and content development

Submit a contact form to request a quote for what your organization needs.

Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, launched Recharged Education in 2014. With more than 20 years of commercial card experience, her mission is to make industry education readily accessible to all. Learn more…