A P-Card Separation of Duties Dilemma

How strong are the separation of duties within your P-Card program? An auditor who used my risk analysis template contacted me recently because one AP clerk performs accounting-related tasks that I recommend be split among two or three people. She described how this employee is responsible for: 1) downloading the file of transaction data from the card issuer, 2) making any necessary corrections to account/budget codes within the file, and 3) uploading the corrected file into their accounting/finance system. She asked me about the risks and what I would suggest they change. Certainly, this organization is not alone in having limited accounts payable resources, which makes complete separation of duties difficult to achieve. As a result, compensating controls are even more important. Keep reading to see more about the dilemma noted above and suggestions for improving the situation.

Risks

Within the text file format (.txt)—the format of the interface file downloaded from the issuer—someone can change any part of the data, not just account/budget codes. This organization confirmed to me that there is no record or report of the changes the AP clerk makes within this file. For instance, she could change a vendor name to hide where someone made a purchase.

If the AP clerk also has the ability to order/request new P-Cards, then she could order a card for herself, use it for personal purchases, and change the cardholder name of the resulting transactions in order to conceal her fraud. While this example is a bit far-fetched, it could still happen. Even though internal departments have the opportunity to review spend reports generated by the accounting system (as a compensating control), they may or may not catch something like this. On a side note, monitoring new cards issued each month is a control for catching unauthorized cards.

Suggestions

  • Make every effort to separate the duties and/or establish the appropriate oversight.

  • Avoid making any changes within the downloaded interface file. Besides the risks noted above, it is too easy to accidentally do something that shifts the data, which can cause problems when uploading to the accounting system. Make the necessary corrections after the file is uploaded.

  • Inquire about the ability of the accounting system to produce an audit trail—a record or report—of changes made. If one is available, a supervisor should review it.

  • Compare reports from the card issuer’s system to reports from the accounting/finance system to ensure accuracy. At least do some spot checking concerning vendor and/or cardholder totals. For example, if a report from the card issuer shows John Smith spent $3,100 for the cycle, verify against the accounting system. This type of activity should be completed by someone who is not involved with the three steps noted above in the post introduction.

  • Finally, contact cardholders and their manager-approvers about any coding errors, so they can learn from the mistakes.

Risk Analysis Event and Template

In June, I will be delivering a three-hour virtual workshop on P-Card risk assessments, hosted by AP Now. One of the planned topics is potential risks related to accounting processes. For details and registration, please visit AP Now. As a bonus, attendees will receive a copy of the risk analysis template by Recharged Education, which normally sells for $89.99. It includes more than 100 questions to help you do a robust evaluation of P-Card controls.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Stop Blaming P-Cards

When internal card fraud arises, an unfortunate, but common, response is to blame the product itself and take cards away from employees or severely restrict card usage. However, the problem is not Purchasing Cards; rather, it is end-user organizations that lack effective controls. This point is clearly demonstrated in the fraud case that rocked a public school district in my home state of Minnesota. I first wrote about it in July of 2017, but it made the news again last week because the party in question—former school superintendent Rod Thompson—pleaded guilty to 19 felonies. The 16-month FBI investigation that started with a look into his P-Card usage led to the discovery of other crimes and policy infractions he had committed. See more below, as well as key questions every Commercial Card program manager should answer.  

The Fraud Case

Thompson’s felonies include theft by swindle, embezzling public funds, and possessing stolen property. He admitted to using his P-Card for numerous personal purchases totaling tens of thousands of dollars. I laughed out loud when his attorney said Thompson was remorseful for his actions. Was he sorry after he bought the flat-screen TV for his home? How about after he purchased an Xbox gaming system? Did he ever turn himself in because he was sorry? Was he sorry enough to stop committing internal fraud? No. He was only sorry after getting caught.

A group of taxpayers can be credited for cracking the case. In response to a district announcement about a substantial budget problem, they requested, received, and dug into spend reports, even though some people basically called them paranoid. This tells me the district was simply sitting on the valuable information. Either no one internally ever reviewed Thompson’s spend activity or they chose to ignore it. I’m not sure which is worse.

The eventual FBI investigation also revealed Thompson used his position to gain personal benefits from a construction company. They paid for tickets to various events (e.g., Minnesota Vikings games) and did work on Thompson’s home. In turn, he awarded them lucrative school contracts. The lesson here is, if you find an employee guilty of one thing, there is a good chance they are guilty of more.

Thompson will receive some prison time, as well as pay approximately $75,000 in restitution.

Eliminating Commercial Cards is the wrong way to respond to internal card fraud. Rather, conduct a thorough program risk analysis and close the control gaps that make fraud easy to commit.

Eliminating Commercial Cards is the wrong way to respond to internal card fraud. Rather, conduct a thorough program risk analysis and close the control gaps that make fraud easy to commit.

Six Questions

If you can answer “yes” to the following questions, your organization is in good shape for preventing and detecting internal card fraud. Nevertheless, a full risk analysis will provide a more complete picture.

  1. Does every cardholder have an appropriate-level “manager-approver” who reviews transactions at least monthly?

  2. Are cardholders and manager-approvers required to sign an internal agreement, and complete training and/or a quiz each year?

  3. Are executive-level cardholders held to the same standards/rules as others?

  4. Do you have a separate, robust auditing process (e.g., auditing technology) to identify potential issues and fraud?

  5. Does your organization enforce detailed receipt requirements? Thompson often omitted receipts or only provided vague ones.

  6. Are tips about suspicious activity followed up on, even if they seem far fetched?

Related Resources



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

The Party’s Over for Two Cardholders Taken into Custody

Two cardholders from a university are facing federal charges in conjunction with internal card fraud, but, as always, I keep thinking about the reviewers/approvers in this case. They are supposed to be the first line of defense against cardholder fraud and misuse, but we all know that managers’ vigilance can be hit or miss. This reality means the auditing process better be sound to catch anything missed at the cardholder and manager levels. Keep reading to see more about the fraud case, obtain six audit recommendations, and learn about a May virtual workshop for auditors.

About the Case

The two employees, who both held research-related positions at the University of New Hampshire (UNH), allegedly used their P-Cards to make thousands of dollars in personal purchases, including Amazon gift cards, and then falsified receipts. As reported by fosters.com, a service of seacoastonline.com:

  • The cards were intended for expenses incurred through research covered by federal grants.
  • They were required to provide receipts and written justification for their purchases.
  • Another UNH department reviewed and approved their transactions, seeking reimbursement from the appropriate grants.
  • A federal grand jury recently indicted both men on 31 counts of theft of government funds.

Read the complete article published by fosters.com. It indicates that the fraud was caught via a random audit, but the exact details are unknown.

Since managers’ vigilance (in overseeing cardholders’ activity) can be hit or miss, the auditing process better be sound...

Audit Recommendations

  1. Do not rely solely on random transaction audits. Be strategic; see examples.
  2. Ensure every cardholder is thoroughly audited at least once per year.
  3. If your organization does not already have it, seriously consider an auditing solution/technology. It covers more ground than what a human can do and is less prone to errors.
  4. For suppliers with whom your organization has an ongoing relationship, obtain reports showing what cardholders have purchased. This can help uncover falsified receipts.
  5. If purchases from Amazon are allowed, audit a high percentage of these transactions every month (audit 100% if using technology). Better yet, switch to Amazon Business, which offers various controls. 
  6. Occasionally verify the presence/location of purchased items to ensure the goods are not somehow “missing,” especially those that might be tempting for personal use.  

See also recommendations related to manager-approvers and how to help them be successful. I wish I knew what the aftermath was for the department that approved the two cardholders’ transactions! Accountability is critical.


P-Card eWorkshop for Auditors

Purchasing Card Audits—Best Strategies for Internal Audit

In early May, I will be delivering a four-hour virtual training course for The Institute of Internal Auditors/American Center for Government Auditing. Targeted at auditors in the public sector, but still suitable for all sectors, the content will help auditors better understand Purchasing Cards and what should be audited. Learn more about this event...  


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.