Build a Foundation for Successful Audits

What do home remodeling projects and P-Card audits have in common? Unexpected surprises—usually not the good kind—are one commonality. Whether a home or card program, something that appears to be sound might have issues lurking that only remodeling or auditing, respectively, will uncover. Another big commonality between the two, as observed by Doug Hindsley, is the do-it-yourselfer who cuts corners and/or lacks the expertise to effectively do the job. Ultimately, this can cost more than hiring a professional from the start. As the senior partner of Card Integrity, a company with solutions to improve the success of your card programs, Doug has data to back up his observations. I first interviewed him about the auditing process in 2017 (see link to that post at the end), so I was thrilled to do so again recently. His insights below include common surprises you can minimize through robust policies, how to help managers be more successful, and tips for organizations who do their own transaction auditing (the DIYers).

Common Surprises

For home projects and card programs alike, surprises typically mean more money is shelled out. Card Integrity’s proprietary analysis of literally millions of card transactions over the years has resulted in some recurring findings of added expenses that usually surprise their end-user customers. Two examples are:

  • the high number of Amazon prime memberships the organization is unknowingly paying for, even if/when an organization is moving to Amazon Business

  • how much the organization is paying for employee recognition gifts and awards (e.g., flowers, gift cards, special lunches, etc.)

To avoid these surprises at your organization, ensure the card program policies clearly address both. Describe what is and is not allowed, any special procedures or approvals required pre-purchase, and the appropriate supporting documentation to provide with the expenses.

The Offenders

I also asked Doug who Card Integrity most often sees as a policy offender. He confirmed what I have read elsewhere, such as in the annual Report to the Nations by the Association of Certified Fraud Examiners (ACFE). Contrary to popular belief, new employees are not the only offenders. Policy infractions as well as fraud happen at every job level, regardless of an employee’s length of service. Doug mentioned one recent case of a VP who made personal purchases of cashmere scarves and yet they made it through the approval process.

Just as a good contractor monitors the work in progress, anyone who fulfills an oversight/approver role for the card program must be diligent in their reviews of employees’ expenses. However, we all know that this is hit or miss, which is a significant issue. My own informal research has revealed most organizations do not apply any consequences to manager-approvers who flounder or fail at their card program role. As such, the poor behavior never improves.

Helping Managers Be More Successful

As Doug and I discussed, managers are overloaded, so they rubber stamp everything in an effort to just keep up. I published a related blog post a few years ago, Give Your Managers a Life Preserver. Card Integrity supports the preservation cause by offering concise reports, such as 20 lines of “weird stuff” that managers should take a closer look at. This greatly alleviates the burden on managers to find a needle in a haystack, saving valuable time. Doug shared that, as a result, some of their corporate clients do not even require managers to look at every transaction anymore (even though they still have access to the data).

Regardless of your organization’s approach to auditing, help your managers be more successful by training them on what to look for when reviewing expenses and when they should dig deeper. Determine what reports you can provide to support them.

About Those DIYers

If your organization decides to tackle the auditing of card transactions on your own, utilize whatever tools are available, even if it is just Microsoft Excel, and be thoughtful about the receipt aspect. Too often, Doug sees that receipt confirmation is merely a checkbox on the audit form; there is little to no review of what was purchased. In some cases, the “auditor” is someone who may not know whether a particular purchase is allowed; for example, higher education institutions who pay a student to do the auditing. Whenever possible, take advantage of Level III transaction detail instead of doing a receipt review for the applicable vendors.

Finally, Doug stresses the importance of being timely, visible, and consistent with your audits. Cardholders often feel picked on when they are singled out for an innocent mistake, especially if the same mistake is made by someone else who does not get called out. To make audit results less personal, report on the aggregate or by department. Don’t forget to include positive results as well.

For more on Doug’s insights, access the 2017 post, Rethinking the Audit Process, which describes how to address chronic problems, frequently overlooked audit criteria, the drawbacks of manual audits, and more.

Photo by rawpixel on Unsplash

Photo by rawpixel on Unsplash

About Card Integrity

Card Integrity expense solutions further examine your spend data to detect hidden fraud, target policy compliance, and alert employees to smarter spending habits. Combined with advanced analytics, Card Integrity delivers powerful insights with prioritized reporting and relevant communication. By monitoring expenses, validating receipts, and training cardholders, the suite of expense solutions helps leading organizations to effectively manage spend.

Card Integrity takes service to the next level with flexible, custom reporting; easy onboarding; and ongoing assistance. Companies of all sizes and industries, including top U.S. and global companies, colleges and universities, and government agencies, support card and payment programs with Card Integrity solutions to get spending under control.

To learn more about Card Integrity, visit our website to ask for a case study at: Better yet, meet us in person at the NAPCP Commercial Card and Payment Conference next month and visit our table in the exhibitor hall. We look forward to seeing you there and finding out how we can help your program to grow!

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

The Party’s Over for Two Cardholders Taken into Custody

Two cardholders from a university are facing federal charges in conjunction with internal card fraud, but, as always, I keep thinking about the reviewers/approvers in this case. They are supposed to be the first line of defense against cardholder fraud and misuse, but we all know that managers’ vigilance can be hit or miss. This reality means the auditing process better be sound to catch anything missed at the cardholder and manager levels. Keep reading to see more about the fraud case, obtain six audit recommendations, and learn about a May virtual workshop for auditors.

About the Case

The two employees, who both held research-related positions at the University of New Hampshire (UNH), allegedly used their P-Cards to make thousands of dollars in personal purchases, including Amazon gift cards, and then falsified receipts. As reported by, a service of

  • The cards were intended for expenses incurred through research covered by federal grants.
  • They were required to provide receipts and written justification for their purchases.
  • Another UNH department reviewed and approved their transactions, seeking reimbursement from the appropriate grants.
  • A federal grand jury recently indicted both men on 31 counts of theft of government funds.

Read the complete article published by It indicates that the fraud was caught via a random audit, but the exact details are unknown.

Since managers’ vigilance (in overseeing cardholders’ activity) can be hit or miss, the auditing process better be sound...

Audit Recommendations

  1. Do not rely solely on random transaction audits. Be strategic; see examples.
  2. Ensure every cardholder is thoroughly audited at least once per year.
  3. If your organization does not already have it, seriously consider an auditing solution/technology. It covers more ground than what a human can do and is less prone to errors.
  4. For suppliers with whom your organization has an ongoing relationship, obtain reports showing what cardholders have purchased. This can help uncover falsified receipts.
  5. If purchases from Amazon are allowed, audit a high percentage of these transactions every month (audit 100% if using technology). Better yet, switch to Amazon Business, which offers various controls. 
  6. Occasionally verify the presence/location of purchased items to ensure the goods are not somehow “missing,” especially those that might be tempting for personal use.  

See also recommendations related to manager-approvers and how to help them be successful. I wish I knew what the aftermath was for the department that approved the two cardholders’ transactions! Accountability is critical.

P-Card eWorkshop for Auditors

Purchasing Card Audits—Best Strategies for Internal Audit

In early May, I will be delivering a four-hour virtual training course for The Institute of Internal Auditors/American Center for Government Auditing. Targeted at auditors in the public sector, but still suitable for all sectors, the content will help auditors better understand Purchasing Cards and what should be audited. Learn more about this event...  

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Who audits the program manager?

In the life of a Commercial Card program, cardholders are routinely under a microscope. Yet, an auditor’s radar may fail to pick up the program manager or administrator (PM/PA). Even if the PM/PA is a rock star within the organization, no one should be exempt from an audit process. Following are six PM/PA aspects for your internal audit team to review.

PM/PA Aspects to Audit

1. Separate from the policies and procedures (P&P) cardholders must follow, are there current, documented procedures for tasks executed by the PM/PA? Examples include steps the PM/PA follows to establish a new card account, monthly reporting and analysis performed by the PM/PA, and how to resolve card usage issues like declined transactions.

2. Perhaps most important, does the PM/PA consistently follow documented procedures? For example: 

  • If the PM/PA must ensure a card applicant completes training prior to receiving a card, the auditor should review the timing of the training versus the timing of card issuance/activation.
  • If the PM/PA must notify a cardholder’s manager upon instigating a temporary limit increase, is there documentation (e.g., an email to the manager) to support this?   

3. What type of system access does the PM/PA have? Is there adequate separation of duties? For example, the same person should not be able to:

  • download transaction interface files from the issuer and upload into the finance system
  • upload transaction interface files into the finance system and make coding changes/other corrections to the uploaded information

If a lack of resources makes separation of duties impossible for certain activities, then, at a minimum, there should be sufficient means to monitor the PM/PA’s activity, such as an electronic audit trail and/or management oversight.  

4. Are there effective controls to ensure the PM/PA does not obtain unauthorized cards? In my role as a PM, an auditor asked what prevented me from getting and using a card without anyone knowing. I had to admit that it would be easy for me to obtain a card for myself, but I explained the detective controls that would catch this.

5. Is the PA/PM allowed adequate time to spend on card program management? If they are pulled in too many directions, it increases the risk to the organization and the program will likely flounder. An auditor can help shed light on this problem.

6. Is there sufficient backup for when the PM/PA is out of the office or otherwise unavailable? Select an appropriate employee—someone with the right skills—for this role. Also, if someone is trained as a backup, but does not routinely execute back-up duties, then he or she might get rusty. 

Final Thoughts

The PM/PA is critical to long-term card program success. An organization should design the role thoughtfully, hire wisely, and audit regularly (e.g., annually). 

Related Resources

If your organization would like assistance with developing the PM/PA role and/or audit process for the P-Card program, contact Recharged Education.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.