Build a Foundation for Successful Audits

What do home remodeling projects and P-Card audits have in common? Unexpected surprises—usually not the good kind—are one commonality. Whether a home or card program, something that appears to be sound might have issues lurking that only remodeling or auditing, respectively, will uncover. Another big commonality between the two, as observed by Doug Hindsley, is the do-it-yourselfer who cuts corners and/or lacks the expertise to effectively do the job. Ultimately, this can cost more than hiring a professional from the start. As the senior partner of Card Integrity, a company with solutions to improve the success of your card programs, Doug has data to back up his observations. I first interviewed him about the auditing process in 2017 (see link to that post at the end), so I was thrilled to do so again recently. His insights below include common surprises you can minimize through robust policies, how to help managers be more successful, and tips for organizations who do their own transaction auditing (the DIYers).

Common Surprises

For home projects and card programs alike, surprises typically mean more money is shelled out. Card Integrity’s proprietary analysis of literally millions of card transactions over the years has resulted in some recurring findings of added expenses that usually surprise their end-user customers. Two examples are:

  • the high number of Amazon prime memberships the organization is unknowingly paying for, even if/when an organization is moving to Amazon Business

  • how much the organization is paying for employee recognition gifts and awards (e.g., flowers, gift cards, special lunches, etc.)

To avoid these surprises at your organization, ensure the card program policies clearly address both. Describe what is and is not allowed, any special procedures or approvals required pre-purchase, and the appropriate supporting documentation to provide with the expenses.

The Offenders

I also asked Doug who Card Integrity most often sees as a policy offender. He confirmed what I have read elsewhere, such as in the annual Report to the Nations by the Association of Certified Fraud Examiners (ACFE). Contrary to popular belief, new employees are not the only offenders. Policy infractions as well as fraud happen at every job level, regardless of an employee’s length of service. Doug mentioned one recent case of a VP who made personal purchases of cashmere scarves and yet they made it through the approval process.

Just as a good contractor monitors the work in progress, anyone who fulfills an oversight/approver role for the card program must be diligent in their reviews of employees’ expenses. However, we all know that this is hit or miss, which is a significant issue. My own informal research has revealed most organizations do not apply any consequences to manager-approvers who flounder or fail at their card program role. As such, the poor behavior never improves.

Helping Managers Be More Successful

As Doug and I discussed, managers are overloaded, so they rubber stamp everything in an effort to just keep up. I published a related blog post a few years ago, Give Your Managers a Life Preserver. Card Integrity supports the preservation cause by offering concise reports, such as 20 lines of “weird stuff” that managers should take a closer look at. This greatly alleviates the burden on managers to find a needle in a haystack, saving valuable time. Doug shared that, as a result, some of their corporate clients do not even require managers to look at every transaction anymore (even though they still have access to the data).

Regardless of your organization’s approach to auditing, help your managers be more successful by training them on what to look for when reviewing expenses and when they should dig deeper. Determine what reports you can provide to support them.

About Those DIYers

If your organization decides to tackle the auditing of card transactions on your own, utilize whatever tools are available, even if it is just Microsoft Excel, and be thoughtful about the receipt aspect. Too often, Doug sees that receipt confirmation is merely a checkbox on the audit form; there is little to no review of what was purchased. In some cases, the “auditor” is someone who may not know whether a particular purchase is allowed; for example, higher education institutions who pay a student to do the auditing. Whenever possible, take advantage of Level III transaction detail instead of doing a receipt review for the applicable vendors.

Finally, Doug stresses the importance of being timely, visible, and consistent with your audits. Cardholders often feel picked on when they are singled out for an innocent mistake, especially if the same mistake is made by someone else who does not get called out. To make audit results less personal, report on the aggregate or by department. Don’t forget to include positive results as well.

For more on Doug’s insights, access the 2017 post, Rethinking the Audit Process, which describes how to address chronic problems, frequently overlooked audit criteria, the drawbacks of manual audits, and more.

Photo by rawpixel on Unsplash

Photo by rawpixel on Unsplash

About Card Integrity

Card Integrity expense solutions further examine your spend data to detect hidden fraud, target policy compliance, and alert employees to smarter spending habits. Combined with advanced analytics, Card Integrity delivers powerful insights with prioritized reporting and relevant communication. By monitoring expenses, validating receipts, and training cardholders, the suite of expense solutions helps leading organizations to effectively manage spend.

Card Integrity takes service to the next level with flexible, custom reporting; easy onboarding; and ongoing assistance. Companies of all sizes and industries, including top U.S. and global companies, colleges and universities, and government agencies, support card and payment programs with Card Integrity solutions to get spending under control.

To learn more about Card Integrity, visit our website to ask for a case study at: https://www.cardintegrity.com/case-studies/. Better yet, meet us in person at the NAPCP Commercial Card and Payment Conference next month and visit our table in the exhibitor hall. We look forward to seeing you there and finding out how we can help your program to grow!


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Do Your Audits Test Employees’ Knowledge?

Would your cardholders be able to spot and prevent a scam? A national company became a victim of business email compromise (BEC) fraud involving gift cards, even though the employee who fell for it was trained on information security. This highlights a critical component that all training programs should include: auditing. Besides covering key topics within training presentations, testing employees’ knowledge through process audits can reveal how well the training has sunk in. Keep reading to learn what happened and see if your organization is already following the presented action items.

What Happened

Proving that no organization is immune to external fraud, the company in question is in the financial services industry, which, of course, is very focused on information security. One of the manager-level employees received an email that looked like it was from a senior management member. It directed the employee to buy $2,000 worth of gift cards to be used for employee recognition purposes. The big red flag was that it instructed the employee to take immediate action following the purchase rather than go back to the office first. It stressed that the employee should uncover the cards’ security codes and then reply to the email by sending photos of the fronts and backs of the cards. The employee complied. It was discovered by the Info-Security team when they were researching the same type of fraud reported by a different employee, who recognized the scam and did not fall for it.

Action Items

  • Ensure all employees—not just cardholders—are trained annually on information security. They should scrutinize any email requests that are seemingly out of the blue—something they were not expecting—and/or are different than “normal” business operations. When in doubt, they should independently verify a request and report any fraudulent attempts to the Info-Security team.

  • Keep your training current by refreshing as needed to include new fraud types and variations of common scams.

    See also additional training-related content...

  • Routinely share examples of fraud (from the news and blogs like this) to keep security at the forefront of people’s minds.

  • Within your process audits, try to simulate a scam to see if employees take the appropriate action.

  • Ask your IT group about automatically marking emails from external sources, which can help make employees more vigilant.

About BEC Fraud

As reported by the FBI, business email compromise (BEC) is a $12B scam. It is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. While it is most often associated with requests for wire payments, fraudulent requests may pertain to personal information (e.g., W-2 forms). As this blog post demonstrates, the scam has widened to include gift cards.

Would your cardholders be able to see a scam targeted at them?

Would your cardholders be able to see a scam targeted at them?



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

The Party’s Over for Two Cardholders Taken into Custody

Two cardholders from a university are facing federal charges in conjunction with internal card fraud, but, as always, I keep thinking about the reviewers/approvers in this case. They are supposed to be the first line of defense against cardholder fraud and misuse, but we all know that managers’ vigilance can be hit or miss. This reality means the auditing process better be sound to catch anything missed at the cardholder and manager levels. Keep reading to see more about the fraud case, obtain six audit recommendations, and learn about a May virtual workshop for auditors.

About the Case

The two employees, who both held research-related positions at the University of New Hampshire (UNH), allegedly used their P-Cards to make thousands of dollars in personal purchases, including Amazon gift cards, and then falsified receipts. As reported by fosters.com, a service of seacoastonline.com:

  • The cards were intended for expenses incurred through research covered by federal grants.
  • They were required to provide receipts and written justification for their purchases.
  • Another UNH department reviewed and approved their transactions, seeking reimbursement from the appropriate grants.
  • A federal grand jury recently indicted both men on 31 counts of theft of government funds.

Read the complete article published by fosters.com. It indicates that the fraud was caught via a random audit, but the exact details are unknown.

Since managers’ vigilance (in overseeing cardholders’ activity) can be hit or miss, the auditing process better be sound...

Audit Recommendations

  1. Do not rely solely on random transaction audits. Be strategic; see examples.
  2. Ensure every cardholder is thoroughly audited at least once per year.
  3. If your organization does not already have it, seriously consider an auditing solution/technology. It covers more ground than what a human can do and is less prone to errors.
  4. For suppliers with whom your organization has an ongoing relationship, obtain reports showing what cardholders have purchased. This can help uncover falsified receipts.
  5. If purchases from Amazon are allowed, audit a high percentage of these transactions every month (audit 100% if using technology). Better yet, switch to Amazon Business, which offers various controls. 
  6. Occasionally verify the presence/location of purchased items to ensure the goods are not somehow “missing,” especially those that might be tempting for personal use.  

See also recommendations related to manager-approvers and how to help them be successful. I wish I knew what the aftermath was for the department that approved the two cardholders’ transactions! Accountability is critical.


P-Card eWorkshop for Auditors

Purchasing Card Audits—Best Strategies for Internal Audit

In early May, I will be delivering a four-hour virtual training course for The Institute of Internal Auditors/American Center for Government Auditing. Targeted at auditors in the public sector, but still suitable for all sectors, the content will help auditors better understand Purchasing Cards and what should be audited. Learn more about this event...  


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.